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METHOD OF GENERATING PSEUDO-RANDOM NUMBERS IN AN ELECTRONIC DEVICE, AND 
A METHOD OF ENCRYPTING AND DECRYPTING ELECTRONIC DATA 

TECHNICAL FIELD 

5 

The present invention relates to a method of performing numerical computations in a 
mathematical system comprising at least one function, in particular a non-linear function. 
The mathematical system may be a non-linear system of differential equations which 
exhibits chaotic behavior. The Invention also relates to a pseudo-random number 
10 generator applicable to an encryption and decryption method, and to such an encryption 
and decryption method. An electronic device is preferably used for performing the 
computations, 

BACKGROUND OF THE INVENTION 

15 

Cryptography is a generally used term covering science and technology concerned with 
transforming data, so as to be able to store and transmit the data while being able to 
prevent unauthorized access to the data. By means of cryptography, the data are made 
non-comprehensible for any other person but the intended recipient or recipients of the 
20 data. Accordingly, cryptography plays an increasingly more important role in the protection 
of Intellectual property. Including copyright protection, as the technological advancements 
require safe transmission and storage of huge amounts of data. 

In an encryption and decryption algorithm, the specific transformation of data is dependent 
25 on an input to the algorithm, a so-called key. In case the sender and the recipient of the 
data have an appropriate set of keys, the sender and the recipient are able to correctly 
encrypt and decrypt the data while any third person who may gain access to the encrypted 
data is not able to view a properly decrypted version of the encrypted data, as she or he is 
not in possession of an appropriate key. 

30 

Usually, a set of data to be encrypted Is referred to as "plaintext" or "original data", 
whereas the encrypted version of the set of data is referred to as "ciphertext" or 
"encrypted data". 

35 Two types of symmetric cryptographic algorithms are the so-called "block cipher" and the 
so-called "stream cipher". Both types of algorithms use symmetric keys. I.e. the keys used 
for encryption and decryption are equal or trivially related. A block cipher is a 
cryptographic algorithm which splits an 'original set of data Into a plurality of blocks of a 
given size, e.g. 64 bits per block. Mathematical and logical operations are performed on 

40 each block, whereby the original amount of data is usually transformed into blocks of 
pseudo-random data. In case decryption is initiated with the correct decryption key, the 
original data can be re-called by reversing the mathematical and logical operations used 
for encryption. 
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In a (synchronous) stream cipher, a pseudo-random number generator generates, based 
on a key, a sequence of pseudo-random numbers, the sequence being referred to as a 
l<eystream. The keystream is mixed, by arithmetic and/or logical operations, with a 
plurality of sub-sets of the original set of data, the sum of sub-sets of data defining the 
5 original data to be encrypted. The result of the mixing is the encrypted data. The set of 
encrypted data may be decrypted by repeating the procedure in such a way that the 
pseudo-random sequence is extracted from the encrypted data, so as to arrive at the 
original, decrypted data. 

10 The plaintext is often mixed with the l<eystream by use of a logical operator, the so-called 
XOR operator, also referred to as the "exclusive or" operator, which is symbolized by the © 
symbol. XOR generates a one-bit result from two one-bit arguments. All possible 
combinations are: 
0 ® 0 = 0 
0©1 = 1 
1©0 = 1 
1© 1 = 0 

15 Utilization of the XOR operator on a plaintext and a pseudo-random keystream yields a 
ciphertext. During decryption, an identical keystream is generated, and the XOR operator 
is now utilized on the keystream and the ciphertext, resulting in the original plaintext. The 
identical keystream can only be generated by using the key on which the keystream for 
encryption was initially based. 

20 

Further, so-called public key systems have been developed, such systems being 
characterized by a pair of asymmetric keys, i.e. a public key and a private key, the two 
keys being different. In such systems, the public key is usually used for encryption, and 
the private key is usually used for decryption. The private and the public key correspond to 

25 each other in a certain manner. The key which is used for encryption cannot be used for 
decryption, and vice versa. Thus, the public key may be published without violating safety 
In respect of accessibility of the original data. Accordingly, when transmitting encrypted 
data via a computer communications network, the recipient of the data first generates a 
set of keys, including a public and a private key. The public key, for example, is then 

30 provided to the sender of the data, whereas the private key is stored at a secure location. 
The sender of the data utilizes the public key for encrypting the original data, and the 
encrypted data are then transferred to the recipient. When the recipient receives the 
encrypted data, the private key, which corresponds to the public key previously utilized for 
encryption, is provided to the decryption system which processes the encrypted data so as 

35 to arrive at the original decrypted data. Public key systems are primarily used for 

transmitting keys which are utilized in, e.g., block or stream ciphers, which in turn perform 
encryption and decryption of the data. 

The methods of the present invention are applicable to cryptographic methods, in 
40 particular but not exclusively to stream cipher algorithms, block cipher algorithms. Hash 
functions, and MAC (Message Authentication Code) functions. Such methods, functions and 
algorithms may include pseudo-random number generators which are capable of 



APPLICATION/25557US02/JPF/PNI/07-12-01 



3 



generating pseudo-random numbers in a reproducible way, i.e. in a way that results in the 
same numbers being generated in two different cycles when the same key is used as an 
input for the pseudo-random number generator in the two cycles. 

5 In order to generate pseudo-random numbers, it has been proposed to utilize numerical 
solutions of chaotic systems, i.e. systems of non-linear differential equations or mappings 
exhibiting chaotic behavior. The term "'chaotic" may in a strict mathematical sense only be 
used In the context of a continuous system. However, the present text also refers to 
discrete or finite systems having at least one positive Lyapunov exponent as being 
10 ''chaotic". 

A chaotic system normally governs at least one state variable X, the numerical solution 
method of such a system normally comprising performing iteration or integration steps. In 
a chaotic system, the solution Xn at a given instant is dependent on the initial condition Xq 

15 to such an extent that a small deviation In Xq will result in a huge deviation in the solution 
Xn, the system often being referred to as exhibiting sensitivity on initial conditions. Thus, in 
order for the pseudo-random number generator. I.e. the algorithm numerically solving the 
chaotic system to give a reproducible stream of pseudo-random numbers, the exact initial 
condition Xq must be known. Thus, in cryptographic algorithms relying on chaotic systems, 

20 the initial condition Xq used In the numerical solution of the chaotic system is derived from 
the key entered by a user of the cryptographic system, thereby allowing the same stream 
of pseudo-random numbers to be generated for e.g. encryption and decryption of data. 

Lyapunov exponents measure the rates of divergence or convergence of two neighboring 
trajectories, i.e. solution curves, and can be used to determine the stability of various 

25 types of solutions, i.e. determine whether the solution is for example periodic or chaotic. A 
Lyapunov exponent provides such a measure from a comparison between a reference orbit 
and a displaced orbit. Iterates of the initial condition Xq are denoted the reference orbit, 
and the displaced orbit is given by iterates of the initial condition Xo + yo, where yo is a 
vector of Infinitely small length denoting the initial displacement. The initial orientation of 

30 the initial displacement is given by Uo = yo /I yo|. Using this notation, the Lyapunov 
exponent, h(xo, yo), is defined as 

h(Xo,Uo) = iirn^in^yn|/|yo|) 

where yn Is the deviation of the displaced orbit from the reference orbit, given by the n'th 
Iterate of Xq. For systems whose dimension is larger than one, there is a set or spectrum of 

35 Lyapunov exponents, each one characterizing orbital divergence or convergence In a 

particular direction. Thus, if the system has N degrees of freedom, it will have N Lyapunov 
exponents which, however, are not necessarily distinct. In all practical situations, a 
positive Lyapunov exponent indicates chaos. The type of irregular behavior referred to as 
hyperchaos is characterized by two or more positive Lyapunov exponents. Numerical 

40 calculation of Lyapunov exponents may be performed according to the suggested method 
in T.S. Parker and L.O. Chua: Practical Numerical Algorithms for Chaotic Systems, pp. 73- 
81. 
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Even more irregular systems than hyperchaotic systems exhibit so-called turbulence, 
which refers to the type of behaviour exhibited by a system having a continuous spectrum 
of positive Lyapunov exponents. Turbulence may be modeled by partial differential 
equations, for example the well-known Navier-Stokes equations. 

5 

A large number of prior art documents are concerned with solving chaotic systems, in 
particular to be used In cryptographic algorithms, also including stream cipher algorithms 
relying on chaotic systems, some of which are briefly mentioned below as a general 
introduction to the background art. 

10 US 5,007,087 assigned to Loral Aerospace Corp. discloses a method and an apparatus for 
generating random numbers using chaos. The patent describes solving chaotic systems for 
generating random number sequences and mentions its possible use in cryptography, in 
particular In the field of key generation and management. The document mentions that 
repeatability of the number sequence should be avoided. 

15 US 5,048,086 assigned to Hughes Aircraft Company is related to an encryption system 
based on chaos theory. The system uses the logistic equation Xn+i=nXn(l-Xn), which is a 
mapping exhibiting chaos for certain values of n. In the computations, floating-point 
operations are used. 

20 US 6,014,445 assigned to Kabushiki Kaisha Toshiba, Kawasaki, discloses an 

enciphering/deciphering apparatus and a method Incorporating random variable and key- 
stream generation. The disclosure is related to chaotic stream ciphers and mentions that 
floating-point computations are used. 

25 per Application WO 98/36523 assigned to Apple Computer, Inc. discloses a method of 
using a chaotic system to generate a public key and an adjustable back door from a 
private key. The need for establishing rules of precision during computations on a chaotic 
system Is mentioned. The document states, as an example, that a specified floating point 
or fixed point precision can be identified along with specific standards for round-off. 

30 

"Numerical Methods and Software" by D. Kahaner, C. Moler and S. Nash (Prentice-Hall 
International Editions, 1989) contains a general introduction to (pseudo-)random number 
generation. The book mentions the following criteria forjudging the quality of (pseudo- 
)random number generators: 
35 a) High quality: the generator should pass all the statistical tests and have an extremely 
long period, 

b) Efficiency: execution should be rapid and storage requirements minimal. 

c) Repeatability: Specifying the same starting conditions will generate the same sequence. 
The user should be able to restart the generator at any time, but explicit initialization is 

40 not necessary. A slight change in the starting procedure will result In a different random 
sequence. 
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d) Machine independence and portability: The algorithm should work on different kinds of 
computers; in particular, no operation should cause the program to stop. The same 
sequence of random numbers should be produced on different computers by initializing the 
generator in exactly the same way. 
5 e) Simplicity: The algorithm should be easy to implement and use. 

The book further states that no generator can be successful in satisfying all of these 
criteria. 

"Secure Communication System Using Chaos via DSP Implementation" by H. Kamata, E. 
10 Tetsuro and Y. Ishlda (IEEE 1996) describes a communication system based on a chaotic 
circuit, where a digital signal processor (DSP) is used in the implementation of the system. 
By using fixed-point DSP, the system is made more robust than analog circuits. The 
recovery of a transmitted message is based on synchronizing the chaotic receiver system 
with the transmitter system. 

15 

It is known to use fixed-point variables in numerical computations, for example in Intel 
Mandelbrot computations. Intel (cf. MMX™ Technology Application Notes, "Implementing 
Fractals with MMX™ Technology", publicly accessible on 

http://developer.intel.com/software/idap/resources/technical_collateral/mmx/MANDEL.HT 
20 M on 7 December 2001) has explained how a Mandelbrot set (the set being derivable from 
a non-linear system) may be computed In a fast manner using MMX technology (an add-on 
to Intel's processors which speeds up certain computations). This is done using fixed-point 
computations. 

25 The Mandelbrot set is computed by means of the below mapping: 

Intel utilizes a constant decimal separator position in their computations. A so-called 5.11 
is utilized, i.e. a 16 bit number is utilized wherein the decimal separator is placed after the 
5'th bit, ''5" referring to 5 bits after the decimal separator, "11" referring to 11 bits aflier 
30 the decimal separator. 

SUMMARY OF THE INVENTION 

Usually on a computer, real numbers are represented by floating point type numbers. A 
35 floating-point number is defined as a number consisting of a mantissa and an exponent, 
e.g. 31415 • 10"\ where "31415" is the mantissa and "-4" is the exponent. When a 
computer is performing a calculation on a floating-point variable. It recalculates the 
exponent to match the result each time. The name "floating-point" refers to the fact that 
the decimal separator Is moving at calculations, caused by the varying exponent. However, 
40 floating point arithmetic Is defined differently on various processor architectures causing 
different handling of precision and rounding off. Instead of floating-point numbers, fixed- 
point numbers can be used. A fixed-point number is represented as an integer type 
number on a computer, where a virtual decimal point or separator (also referred to as an 
imaginary decimal separator) is introduced "manually", i.e. by the programmer, to 
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separate the integer part and the fractional part of the real number. Hence, calculations on 
fixed-point numbers are performed by simple integer operations, which are identical on all 
processors in the sense that the same computation, performed on two different 
processors, yields identical results on the two processors, except for possible different 
5 representations of negative numbers. Such possible different representations may occur as 
a consequence of some processors utilizing ones complement and other processors 
utilizing twos complement. Furthermore, these operations are also usually faster than the 
corresponding floating point operations. 

10 In general, a fixed-point number type is denoted O(a.p) where a Is the number of bits used 
to hold the integer part, and p the number of bits to hold the fractional part. The values of 
a and p, and thus the position of the decimal point, are usually predetermined and 
stationary. The fixed-point number can be either unsigned or signed, in which case <t> is 
denoted U or S respectively. In the latter case, a bit is needed to hold the sign, thus 

15 a+p+1 bits are needed to hold S(a.p).The range of U(a.p) Is [0;2"-2'''], and the range of 
S(a.p) is [-2";2"-2"'^]. The resolution of the fixed-point numbers is thereby 2 ". 

The position of the decimal separator in a fixed-point number is a weighting between digits 
in the integer part and digits in the fraction part of the number. To achieve the best result 

20 of a calculation, it is usually desired to Include as many digits after the decimal separator 
as possible, to obtain the highest resolution. However, it may also be important to assign 
enough bits to the integer part to ensure that no overflow will occur. Overflow is loading or 
calculating a value into a register that is unable to hold a number as big as the value 
loaded or calculated. Overflow results in deletion of the most significant bits (digits) and 

25 possible sign change. 

In the various aspects of the present invention, the position of the decimal separator may 
be assigned at design time. To choose the right position, the possible range of the number, 
for which the position Is to be chosen, is preferably analyzed. The most positive and most 
30 negative possible values are determined, and the highest absolute value of the two is 
inserted into the following formula: 
a = ceil(loa(abs(MaxVa!))) 
to determine the value of a. 

35 The position of the decimal point may vary between different fixed-point 

variables.However, addition and subtraction operations require input numbers with similar 
positions. Hence, it is sometimes necessary to shift the position of the decimal point. Right 
shift by n bits corresponds to a conversion from a>(a.p) to a>((x+n.p-n). Left shift by n bits 
will convert a>(a.p) to O(a-n.p-i-n). Conversion of unsigned numbers is done by logical shift 

40 operations, whereas arithmetical shifts are used for signed numbers. 

The mathematical operations addition, subtraction, multiplication and division on fixed- 
point numbers are carried out as plain integer operations. The addition and subtraction 
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operations may result in a number of size 0(a+l.p) because of the carry. However, the 
result is normally truncated to give a number with the same format as the input. 

Multiplication and division do not require arguments with similar positions of the decimal 
5 separators. However, prior to division, the numerator is expanded as It must have twice 
the length of the denominator and the result. The results will have a format of: 
S(a.p)-S(c.d) = S(a+c+l.|3+d) and S(a+c4-l.p+d) / S(a.p) = S(c.d). For unsigned 
multiplication and division S(a+c+l.p+d) is replaced by U(a+c.p+d). Exceeding digits in 
the multiplication compared to the predetermined result format are cut off to match the 
10 target register size. 

Further Information on fixed-point calculations can be found in "Fixed-Point Arithmetic: An 
Introduction" by R. Yates (The text can be found at 

http://personai.mia. bellsouth.net/lig/y/a/yatesc/fp.pdf on 7 December 2001). 

15 

The utilization of floating point variables in the numerical solution of mathematical systems 
may create non-predictable truncation and/or rounding errors. In case of the mathematical 
system to be solved being non-linear, and in particular in case of the system being chaotic, 
the accuracy of the solution at all integration steps is of paramount importance, as a small 

20 deviation at one step may confer huge deviations at subsequent steps. If the truncation 
and/or rounding errors are created consistently in the same manner in any and all 
computations, two solutions based on the same initial conditions are identical, and 
accordingly the computations are reproducible. However, in most cases truncation and/or 
rounding errors of floating point numbers are not entirely controlled by software but also 

25 by hardware on which the software is running. Accordingly, truncation and/or rounding 
errors are hardware dependent, and consequently truncations and/or roundings may be 
performed differently in two different hardware processors. For most computations this is 
without Importance, as the truncations and roundings create inaccuracies of an order of 
magnitude which is far below the required accuracy of the computations. But in the 

30 solution of, e.g., chaotic systems, a small deviation In the way truncations are performed 
may confer huge deviations in the solution at later computational steps. 

It is thus an object of the present invention to provide a method of performing numerical 
computations in a mathematical system and a method of generating pseudo-random 

35 numbers, in which methods truncation and/or rounding errors are predictable or in which 
such errors may be entirely controlled by software, i.e. in which the accuracy of the 
computations is hardware independent. It is a further object of the invention to provide a 
method of performing such numerical computations and a method of generating pseudo- 
random numbers in a reproducible way, which methods, when run on a computer, are fast, 

40 i.e. which utilize the available hardware processor capacity optimally. It is a still further 
object of the invention to provide a method and a system for decrypting and encrypting 
data which is fast when run a computer. 
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Where in the present context, the term "pseudo-random number" is used, this should be 
understood as a random number which may be generated in a reproducible and/or 
deterministic way, i.e. in a way that results in the same pseudo-random number being 
generated in two different executions of a pseudo-random number generating algorithm 
5 when the same key or seed value is used as an input for the pseudo-random number 
generating algorithm in the two executions. 

In the present context, a fixed-point variable is defined as an integer type number with an 
imaginary decimal separator, an integer being defined as a number without digits after the 
10 decimal separator. Accordingly, real numbers are represented by Inserting the imaginary 
decimal separator (or decimal point) at some fixed predetermined position within an 
integer, for example four digits from the left. The position might be changed as a 
consequence of a mathematical operation on the number. The position may also be forced 
to be changed by use of a logical operation. 

15 

As it occurs from the above discussion, fixed-point numbers are integers, on which a 
virtual decimal separator is imposed. The number consists of a so-called "integer part", 
referring to the bits before the decimal separator, and a "fraction part" referring to the bits 
after the decimal separator. In the present context, bits are also referred to as digits and 
20 Wee versa. 

In a computer program comprising fixed-point number computations or in an electronic 
circuit or device for performing fixed-point computations, means may be provided for 
determining a suitable location of the decimal separator. Thus, the program, circuit or 

25 device may, during computations, detect possible overflow and, in the case of a possible 
overflow being detected, change the number of bits on either side of the decimal 
separator, i.e. the location of the decimal separator in a register which stores the variable 
or variables in question. This change may be performed by moving the decimal separator 
one or more positions to the left or to the right. Preferably as many bits as possible are 

30 used to the right of the decimal separator in order to minimize the number of possible 
unused bits in the register and thereby to obtain an optimal accuracy in the computations. 
By changing the position of the decimal separator, though some computational speed may 
be lost due to the requirement for additional operations for detecting possible overflow, the 
accuracy of the computations is optimized while the risk of overflow is eliminated or 

35 reduced, without a designer or programmer of an application incorporating the computer 
program, circuit or device needing to make considerations concerning accuracy and 
overflow in a design or programming phase. Alternatively, or additionally, a test program 
may be provided which determines when or where in the computations overflow will occur 
or is likely to occur, so that a programmer or designer of the program may fix the position 

40 of the decimal separator in one or more variables such that no overflow occurs, whereby, 
in the final implementation, no determination of possible overflow is needed. However, the 
determination of possible overflow may also be incorporated in the final implementation as 
an additional safeguarding feature. Further, the programmer or designer may choose to 
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implement changing of the decimal separator at fixed, predetermined stages In the 
computations. 

As discussed above, a real number may be expressed by means of one or more fixed-point 
5 numbers. Likewise, a complex number, c=a+ib, where may be expressed by means 

of one or more fixed-point numbers, e.g. by expressing the real part a and/or the 
imaginary part b as a fixed-point number. In case only one of the real and imaginary parts 
is expressed as a fixed-point number, the other one may be expressed by means of any 
other type of number, such as a floating-point or an integer number. 

10 

In the present context, the term "data carrier" or "computer readable data carrier" should 
be understood as any device or media capable of storing data which is accessible by a 
computer or a computer system. Thus, a computer readable data carrier may, e.g., 
comprise a memory, such as RAI^, ROM, EPROM, or EEPROM, a CompactFlash Card, a 
15 MemoryStick Card, a floppy or a hard disk drive, a Compact Disc (CD), a DVD, a data tape, 
or a DAT tape. 

Signals comprising data derived from the methods of the present invention and data used 
in such methods may be transmitted via communications lines, such as electrical or optical 
20 wires or wireless communication means using radio or optical transmission. Examples are 
the Internet, LANs (Local Area Networks), I^AIMs (l^letropolitan Are Networks), WANs (Wide 
Area Networks), telephone lines, leased lines, private lines, and cable or satellite television 
networks. 

25 In the present context, the term "electronic device" should be understood as any device of 
processing data by means of electronic or optical impulses. Examples of applicable 
electronic devices to the methods of the present invention are: a processor, such as a CPU, 
a microcontroller, or a DSP (Digital Signal Processor), a computer or any other device 
incorporating a processor or another electronic circuit for performing mathematical 

30 computations, including a personal computer, a mainframe computer, portable devices, 
smartcards, chips specifically designed for certain purposes, e.g., encryption. Further 
examples of electronic devices are: a microchip adapted or designed to perform 
computations and/or operations. 

35 Processors are usually categorized by: (a) the size of data that is operated on (b) the 

instruction size and (c) the memory model. These characteristics may have different sizes, 
normally between 4 and 128 bit (e.g. 15, 16, 32, 64 bit) and not limited to powers of two. 

In the present context, the term "processor" covers any type of processor, including but 
40 not limited to: 

- "Microcontroller", also called "embedded processor". The term "microcontroller" and 
"embedded processor" usually refers to a small processor (usually built with fewer 
transistors than big processors and with limited power consumption). Examples of 
microcontroller architectures are: 
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- Z80 

- 8051 (e.g. produced by Intel) 

- CPUS / 6800 (e.g. 68HC05 68HC08 and 68HC11 e.g. produced by Motorola) 

- CPU32 / 68k (e.g. 68000 Dragonball produced by Motorola) 

5 - Other processors which are typically used in different kinds of con^iputer and control 
systems, examples of architectures being: 

- Alpha 21XXX (e.g. 21164, 21264, 21364) 

- AMD X86-64 (e.g. Sledgehammer) 

- ARM (e.g. ARM 10, StrongARM) 

10 - CPU32 / 68k (e.g. 68000, 68030, 68040 e.g. produced by Motorola) 

- IA32 (e.g. the x86 family produced by Intel (e.g. I486, Pentium), AMD (e.g. K6, 
K7), and Cyrix) 

- IA64 (e.g. Itanium produced by HP/Intel) 

- MIPS (e.g. R4000, RIOOOO produced by SGI) 
15 - PA-RISC (e.g. 8000, produced by HP) 

- PowerPC (e.g. G3, G4, produced by IBM/Motorola) 

- SPARC (e.g. UltraSPARC II, UltraSPARC III, produced by SUN) 

- DSPs. Examples are: 

- DSP56300 (produced by Motorola) 
20 - MSC8100 (produced by Motorola) 

- TI TMS320C6711 (produced by Texas Instruments). 

In the present context, the term "register" should be understood as any memory space 
containing data, such as a number, the memory space being for example a CPU register, 
25 RAM, memory in an electronic circuit, or any data carrier, such as a hard disk, a floppy 
disk, a Compact Disc (CD), a DVD, a data tape, or a DAT tape. 

It should be understood that the present invention also relates to, in independent aspects, 
data derived from the methods of the present invention. It should also be understood that 
30 where the present Invention relates to methods, it also relates to, in independent aspects, 
computer programs being adapted to perform such methods, data carriers or memory 
means loaded with such computer programs, and/or computer systems for carrying out 
the methods. 

35 Any and all computational operations involved in the methods of the present invention may 
be carried out on or by means of an electronic device. 

In a first aspect the present invention provides a method of, performing numerical 
computations in a mathematical system comprising at least one function, the method 
40 comprising the steps of: 

- expressing the mathematical system in discrete terms, 

- expressing at least one variable of the mathematical system as a fixed-point number, 

- performing said computations in such a way that the computations Include the at least 
one variable expressed as a fixed-point number. 
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- obtaining, from said computations, a resulting number, the resulting number 
representing at least one of: 

- a. at least a part of a solution to the mathematical system, and 

- b. a number usable in further computations involved in the numerical solution of 
5 the mathematical system, 

the method further comprising: 

- extracting a set of data which represents at least one of: 

- i. a subset of digits of the resulting number, and 

- ii. a subset of digits of a number derived from the resulting number. 

10 

A subset of a number may be regarded as a part of that number, such as some, but not 
necessarily all digits or bits of the number. For example, the 8 least significant bits of a 16- 
bit number may be regarded as a subset of the 16-bit number. 

15 The term "extracting" covers, but is not limited to: outputting the number or subset in 
question, for example as a l<eystream or a part of a keystream or as any other final or 
Intermediate result of a computational process; storing the number or subset in question in 
a register, for example in order to allow for further use thereof, such as for further 
computations, on the subset. 

20 

By extracting a subset of digits of a number instead of extracting the entire number, 
random properties are improved in case the method is used in a pseudo-random number 
generator, for example for encryption and/or decryption purposes. Moreover, as only a 
subset is extracted, less information concerning the internal state of the mathematical 
25 system is contained in the extracted set of data which enhances the security of an 
encryption/decryption system incorporating the method of the invention. 

Though the mathematical system may comprise a continuous system, for example a 
system of differential equations. It may also or alternatively comprise a system which is 
30 originally defined in discrete terms, for example in the case of a map. The at least one 
function of the mathematical system may be non-linear, as discussed in more detail below. 

Usually, the subset of digits comprises k bits of an m-bit number, k<m, for example 
extracting 8 bits of a 32-bit number. The number from which the subset is extracted 
35 and/or the extracted set of data may be expressed as one or more binary number, octal 
number, decimal numbers, hexadecimal number, etc. The k bits may be the least 
significant bits of the number, or it may be k bits selected from predetermined or random 
positions within the number from which the bits are extracted. For example, from a 64-bit 
number, bits Nos. 42, 47, 53, 55, 56, 57, 61, and 63 may be extracted, or bits Nos. 47-54. 

40 

The method according to the first aspect of the invention may be applied for encryption 
and decryption, modulation of radio waves, synchronization of chaos in picture and sound 
signals so as to reduce noise, data compression, in control systems, watermarking. 
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steganography, e.g. for storing a document in the least significant bits of a sound file, so 
as to hide the document in digital transmission. 

The use of fixed-point numbers has the advantage over floating-point numbers that 
rounding and/or truncations errors occurring in fixed-point number computations are 
identically defined on ail processors. By use of fixed-point variables, decimal numbers may 
be expressed as integer type numbers where an imaginary decimal separator is placed in 
the number. In cases where floating-point variables are used, truncation/rounding errors 
are not performed identically on different types of processors. 

As a consequence of truncation/rounding errors being controllable or predictable, 
numerical computations in mathematical systems which are sensible to 
truncation/rounding errors may be performed in a reproducible manner. Thus, for 
example, non-linear systems, in particular chaotic systems, may be numerically solved in a 
reproducible manner. This opens up for utilizing chaotic systems in pseudo-random 
number generators, such as In encryption/decryption algorithms, without the need for 
feed-back or correction algorithms or registers in order to prevent Inaccuracies, or without 
the need for synchronization techniques ensuring identical solution of the systems in 
encryption as in decryption. This in turn contributes to the computations, the pseudo- 
random number generation and/or the encryption/decryption algorithm being fast as 
compared to algorithms involving such feed-bacl< or correction algorithms or 
synchronization techniques. Further, there is no need for transmission of synchronization 
data with the encrypted data, such synchronization data often amounting to a size 
comparable to the size of the encrypted data, which may be a major problem due to, e.g., 
lack of bandwidth when transmitting data via the Internet. Further, transmission of such 
data compromises the security of the system. The computations are also performed faster 
than computations in methods involving a floating-point variable for the variable in 
question, as in computations involving fixed-point numbers the hardware processor 
performs computations as integer number computations, computations on integer number 
being generally faster than computations on floating-point numbers. 

In the present context, the term "resulting number" should be understood as any number 
occurring in the computations. I^ore than one resulting number may be obtained. The 
resulting number may, as stated above, be a part of the solution to the mathematical 
system and/or an intermediate result, i.e. a number assigned to any variable or parameter 
of the mathematical system or to any other variable or parameter used in the 
computations. In an implementation of the method, the resulting number or a part thereof 
may be extracted, for example as a pseudo-random number for use in an 
encryption/decryption system. Alternatively, one or more mathematical and/or logical 
operations may be performed on the resulting number or on a plurality of resulting 
numbers, so as to obtain a further number which is extracted. All or only selected bits in a 
binary representation of the resulting number may be extracted. It should be understood 
that a number generated from selected bits of a number occurring in the computations 
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may be referred to as the resulting number. Thus, the term "resulting number" also covers 
any part of a number occurring in the computations. 

The method according to the first aspect of the invention Is, as discussed above, useful in 
5 cryptography, for example In the following implementations: a symmetric encryption 
algorithm, a public l<ey (or asymmetric l<ey) algorithm, a secure or cryptographic Hash 
function, or a Message Authentication Code (I^IAC). These algorithms may, for example, be 
used in accomplishing one or more of the following tasks: 

- Ensuring confidentiality of digital data, so as to protect data from unauthorized access. 
10 - Ensuring integrity of digital data, so as to ensure that information is accurate or has 

not been tampered with. 

- Authorization, e.g. to allow permission to perform certain tasl<s or operations. 

- Authentication, such as user authentication, so as to verify the identity of another 
party, or data origin authentication, so as to verify the origin of the data. 

15 - IMonrepudlation, to provide proof of participation in an electronic transaction, for 

example to prevent that a first person A sends a message to a second person B and 
subsequently denies that the message has been sent. Digital signatures are used for 
this purpose. The generation of a digital signature may Incorporate the use of a public 
key algorithm and a hash function. 

20 

The method according to the first aspect of the invention is also applicable to a so-called 
Hash function. A Hash function provides a kind of digital fingerprint wherein a small 
amount of data serves to identify other data, usually a set of data which is considerably 
larger than the aforementioned small amount of data. Hash functions are usually public 
25 functions wherein no secret keys are involved. Hash functions can also provide a measure 
of authentication and integrity. They are often essential for digital signature algorithms 
and for protecting passwords, as a Hash value of a password may be used for password 
control instead of the password itself, whereby only the hash value and not the password 
itself needs to be transmitted, e.g. via a communications network. 

30 

A Hash function employing a secret key as an input is often referred to as a MAC algorithm 
or a "keyed Hash function". jviAC algorithms are used to ensure authentication and data 
integrity. They ensure that a particular message came from the person or entity from 
whom it purports to have come from (authentication), and that the message was not 
35 altered in transit (integrity). They are used in the IPsec protocols (cf. RFC 2401 available 
on http://www.rfc-editor.org on 7 December 2001), for example to ensure that IP packets 
have not been modified between when they are sent and when they reach their final 
destination. They are also used in all sorts of interbank transfer protocols. 

40 As discussed above, the method of the first aspect of the invention may be implemented in 
a Hash or a MAC algorithm. A Hash or a MAC algorithm calculates a checksum of an 
amount of data of an arbitrary length, and gives the checksum as a result. The process 
should be irreversible (one-way), and a small change of an input value should result in a 
significantly different output. Accordingly, the sensitivity to data input should be high. 
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Whereas a Hash function does not use a key as a seed value, a MAC algorithm uses such a 
key which represents or determines a seed value for the algorithm, whereby the result 
depends on the key. Instead of a key, the Hash function relies on a constant value, for 
example certain bits from the number k. Alternatively, a part of the data to which the Hash 
5 function is applied may be used as a seed value. 

A Hash/MAC algorithm may be implemented as follows: 

- A mathematical system In the form of a logistic map is used in the algorithm, the 
logistic map having the form: Xn+i=Axn(l-Xn), wherein A is a parameter. Other chaotic 

10 systems may be employed, such as the Lorenz system which is discussed in detail 
hereinafter. 

- As the result of the algorithm should depend on the message m for which the 
checksum is to be calculated, the message is incorporated in the system as a 
component thereof. For example, a kind of coupling between the message and the 

15 dynamic variable, x, may be performed as follows: Xn+i=Axn(l-Xn)+e(Xn-mn). 

- The parameters A and e and the initial value Xq may be predetermined and/or derived 
from the message. In the case of a I^AC algorithm, the parameters A and e and the 
initial value Xo may, completely or partially, be determined by the secrete key. 

- The system is iterated until the end of the message is reached. The last calculated 

20 value of x or part thereof, such as the least significant digits, is denoted, for example, 
the Hash value, the MAC or the checksum. Alternatively, a number of additional 
iterations may be performed prior to extracting the resulting number. Instead of or in 
addition to extracting the last calculated value of x, certain bits which have been 
ignored in the computations may be extracted as the Hash value. 

25 - The way of introducing the message, m, into the dynamical system can be varied. As 
an example, a part of the message may be used to influence the x-variable in each 
iteration. Such influence may, e.g., be achieved by XORIng certain bits of the message 
into the least significant digits of x. 

30 For further details concerning Hash/MAC functions, reference is made to Applied 
Cryptography by Bruce Schneier, Second Edition, John Wiley & Sons, 1996. 

One possible field of use of the method of the first aspect of the invention is public-key 
encryption, also referred to as asymmetric algorithms. The key used for decryption is 

35 different from the key used for encryption. For example, a key-generation function 
generates a pair of keys, one key for encryption and one key for decryption. One of the 
keys is private, and the other is public. The latter may for example be sent in an 
unencrypted version via the Internet. The encryption key may constitute or contain 
parameters and/or Initial conditions for a chaotic system. A plaintext is used to modulate 

40 the chaotic system which is irreversible unless initiated by the private key. For decryption, 
a mathematical system is used which has dynamics which are Inverse to the dynamics of 
the system used for encryption. 
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In the method according to the first aspect of the invention, the computations involving 
the variable expressed as a fixed-point number may possibly include computations on 
other types of variables, including one or more variables expressed as other kinds of 
numbers, such as floating point numbers and integer numbers. 

5 

The mathematical system may be a discrete or a continuous system. Various types of 
mathematical systems are discussed below. 

The computations may involve at least a first and a second fixed-point number, each fixed- 
10 point number having a decimal separator, wherein the decimal separator of the first fixed- 
point number is positioned at a position different from the position of the decimal 
separator of the second fixed-point number. The decimal separator of the first and second 
fixed-point number may be positioned at selected positions. 

15 The resulting number may be expressed as a variable selected from the group consisting 
of: 

an integer number, 

a floating point number, and 

a fixed-point number. 

20 

In general, the mathematical system may comprise one or more differential equations, or 
one or more discrete maps or mappings. In the case of differential equations, the 
mathematical system may comprise one or more ordinary differential equations and/or one 
or more partial differential equations. In the case discrete mappings, the mathematical 
25 system may comprise one or more area-preserving maps and/or one or more non area- 
preserving maps. At least one function of the mathematical system may be non-linear. 

The method of the invention is also applicable to other types of functions or equations, 
including integral equations. The at least one non-linear differential equation or mapping 

30 may exhibit chaotic behavior, i.e. it may have at least one positive Lyapunov exponent, in 
which case the method may comprise computing a Lyapunov exponent at least once 
during the mathematical computations. In case of a mathematical system exhibiting 
chaotic behavior, the method of the invention may advantageously be applied in a pseudo- 
random number generating method, such as in an encryption/decryption method. At least 

35 one Lyapunov exponent may be computed at least once during the mathematical 

computations in order to determine whether the mathematical system exhibits chaotic 
behavior. If this is not the case, e.g. if the computed Lyapunov exponent is not positive, 
the computations may be interrupted and resumed from other initial values and/or other 
parameters. 

40 

The at least non-linear differential equation or mapping preferably governs at least one 
state variable, X, which may be a function of at least one independent variable, t. 
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More specifically, the mathematical system may comprise one or more of the following 
systems: 

- continuous differential equations, including: 

- partial differential equations, such as the Navier-Stokes equations, 
! - ordinary differential equations, including: 

- autonomous systems, such as dissipative flows. Including the Lorenz system, 
coupled Lorenz systems, the Rossler system, coupled Rossier systems, hyper 
chaotic Rossler system, the Ueda system, simplest quadratic dissipative chaotic 
flow, simplest piecewise linear dissipative chaotic flow 

I - Hamiltonian systems, including the N body problem from celestial mechanics, 

for 

- Non-autonomous systems, including forced systems, such as the forced 
Duffing's equation, forced negative resistance oscillator, forced Brusselator, 
forced damped pendulum equation, coupled pendulums, forced double-well 
oscillator, forced Van de Pol oscillator, 

- delay differential equations, including delay logistic equation, population 
models, 

- Discrete mappings, including 

- area preserving as well as non area-preserving maps, including 

- maps which are piecewise linear in any dimension, such as a tent map, an 
asymmetric tent map, 2x modulo 1 map, and also the Anosov map, the 
generalized Baker's map, the Lozi map, as well as higher order generalizations 
and/or couplings of piecewise linear maps 

- polynomial maps (quadratic or higher), including a logistic map, the Henon 
map, higher order generalizations and/or couplings of polynomial map, e.g. N 
coupled logistic maps, N coupled Henon maps, 

- Trigonometric maps, including a Sine circle map, a Sine map, the Chirikov 
standard map, the Sinai map, the standard map, and Higher order 
generalizations and/or couplings of trigonometric maps, 

- other maps, including the Bernoulli shift, a decimal shift, the Horseshoe map, 
the Ikeda map, a pastry map, a model of a digital filter, a construction of the 
Henon type map in two dimensions from an arbitrary map in one dimension, 
the DeVogelaere map, 

- Cellular automata. 
Neural networks. 

The Rossler system referred to above has the form: 
dx 



wherein typical parameter values are: a = b = 0.2, c = 5.7. The Rossler system is 
40 described in more detail in O.E. Rossler, Phys. Lett. 57A, 397-398 (1976). 
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The Henon map referred to above has the form: 

wherein typical parameter values are: a = 1.4, b = 0.3. For more details, see M. Henon, 
Commun. Math. Phys. 50, 69-77 (1976). 

5 

A logistic map of the form Xn+i=^Xn(l-Xn) may be employed. The Anosov map, often 
referred to as the cat map having the form: 

may also be used. 

10 

The map Is composed of two steps; 1) a linear matrix multiplication, 11) a non-linear modulo 
operation, which forces the iterates to remain within the unit square. It is possible to 
generalize the Anosov maps to an arbitrary number of variables. Furthermore, the matrix 
may have arbitrary coefficient only limited by the requirement of being area -preserving 
15 and having at least one positive Lyapunov exponent for the system. These exponents can 
be calculated analytically for such systems. For more details, reference is made to A.J. 
Lichtenberg and l*^.A. Lieberman, Regular and Chaotic Dynamics, Springer 1992 (p. 305). 

Further, a map lattice which is a type of coupled maps may be employed. In the example 
20 below, X| denotes a variable on a lattice (represented by an N-dimensional array of points), 
the lattice being a ID array with M points. Each point on the lattice is updated according to 
the function on the right hand side of the arrow, where the function f may for example be 
the logistic map. As is seen, neighbouring points on the lattice couple linearly, where the 
linear coupling is adjusted by the parameters y and s. Boundary conditions refer to the way 
25 lattice elements 1 and M are treated. 

x, ^ f(X|)+ e[x,_i - (l + y)x, + yx„ Ji e [l,|vi]. 

Finally, certain simple 3D flow equations may be employed, the systems consist normally 
30 of fewer terms than the Lorenz and Rossler systems. That is, either five terms and two 
nonlinearities or six terms and one nonlinearity. In comparison the Lorenz and Rossler 
systems each consist of seven terms, cf. J. C. Sprott, Phys. Rev. E 50, R647-R650 (1994). 
Appropriate systems are given in the below list: 



dx/dt = 


y, dy/dt = 


-X + yz, dz/dt 


= 1 - y2 


dx/dt = 


yz, dy/dt = 


X - y, dz/dt = 


1 - xy 


dx/dt = 


yz, dy/dt = 


X - y, dz/dt = 


1 -x^ 


dx/dt = 


-y, dy/dt = 


X + z, dz/dt = 


xz + 3y^ 


dx/dt = 


yz, dy/dt = 


x^ - y, dz/dt = 


1 - 4x 



APPLICATION/25557US02/JPF/PNI/07-12-01 



18 



dx/dt 




y + z, dy/dt = -x + 0.5y, dz/dt = x^ - z 


dx/dt 




0.4x + z, dy/dt = xz - y, dz/dt = -x + y 


dx/dt 


= 


-y + z^ dy/dt = x + 0.5y, dz/dt = x - z 


dx/dt 


= 


-0.2y, dy/dt = x + z, dz/dt = x + y^ - z 


5 dx/dt 


= 


2z, dy/dt = -2y + z, dz/dt = -x + y + y^ 


dx/dt 




xy - z, dy/dt = x - y, dz/dt = x + 0.3z 


dx/dt 


= 


y + 3.9z, dy/dt = 0.9x^ - y, dz/dt = 1 - x 


dx/dt 


= 


-z, dy/dt = V - y, dz/dt = 1.7 + 1.7x + y 


dx/dt 


= 


-2y, dy/dt = x + z^, dz/dt = 1 + y - 2x 


10 dx/dt 


= 


y, dy/dt = x - z, dz/dt = x + xz + 2.7y 


dx/dt 




2.7y + z, dy/dt = -x + y^, dz/dt = x + y 


dx/dt 




-z, dy/dt = x - y, dz/dt = 3.1x + y^ + 0.5z 


dx/dt 




0.9 - y, dy/dt = 0.4 + z, dz/dt = xy - z 


dx/dt 




-X - 4y, dy/dt = x + zS dz/dt = 1 + x 



15 

The Lorenz system comprises the following differential equations: 



wherein X=(x, y, z) are state variables, t Is the Independent variable, and <j, r and b are 
parameters. 

20 

In case the following conditions are fulfilled: 



the stationary points of the Lorenz system are not stable, in which case the Lorenz system 
is likely to exhibit chaotic behavior. The parameters may be constant or variable, variable 
25 parameters contributing, e.g., to the results of the computations being more unpredictable 
which may be useful in a pseudo-random number generating method or in an 
encryption/decryption method. 

In the case of a non-linear mapping, the computations may comprise numerically iterating 
30 the non-linear function, the iteration being based on an initial condition Xo of the state 





variable X, 
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The step of performing computations may comprise numerically integrating tlie non-linear 
differential equations by repeatedly computing a solution Xn+i based on one or more 
previous solutions X^, m<n+l, and a step length), ATn, of tlie independent variable, t. 
5 Preferably, at least one initial condition, Xq, of ttie state variable, X, and an initial step 
lengtin, ATq, are provided. Tlie step length may be given before the computations are 
initiated, or it may be computed as the computations proceed. For example, the initial step 
length, ATq, may be computed from the initial condition Xq. 

10 In a discretized formulation of the Lorenz system, the solution Xn+i may be computed 
using the step length AT=(Atx,n, Aty,n, Atz,n) as follows: 

x„^i = x„ + {cs{y„ - x„))- At^_„ 

Yn.l = Vn +(Xn(r-Zn)-yn)-Aty.n 

z„^i = z„ + (x„y„ - bz J- At^,„, 
wherein: 

Atx,n is the step length used in the computation of Xn+i, 
15 Aty,n is the step length used in the computation of yn+i, 
Atz,n is the step length used in the computation of Zn+i. 

As mentioned above, the step length AT may be constant or may vary throughout the 
computations. For example, in each or in some of the integration steps, at least one of the 

20 elements (Atx,n/ Aty,n/ Atz,n) of the step length AT may be a function of one or more numbers 
involved in or derived from the computations. Also, In each integration step, at least one of 
the elements (Atx,n, Aty,n, Atz,n) of the step length AT may be a function of at least one 
solution, Xm, which is a current or previous solution to the mathematical system. In each 
or some of the integration steps, at least one of the elements (Atx,n, Aty,n, At^^p) of the step 

25 length AT Is a function of at least one step length, ATm, which is a current or previous 

integration step. The varying step length AT may be used not only in the method according 
to the invention but in any numerical solution of differential equations, and accordingly the 
present invention also relates to - as an independent aspect - a method of numerically 
solving differential equations using a variable step length. In a pseudo-random number 

30 generating method, such as in an encryption/decryption method, the variable step length 
may contribute to improving the security of the system, i.e. to mal<e the resulting 
l<eystream more unpredictable. 

In a pseudo-random number generating method, the initial condition Xq and/or the initial 
35 step length ATq may be calculated from or represent a seed value. In an 

encryption/decryption method, at least a part of the initial condition Xq and/or at least a 
part of the initial step length ATq may be calculated from or represent an encryption l<ey. 
Also, at least a part of at least some of the parameters of the mathematical system may 
be calculated from or represent a seed value or an encryption l<ey. The key may be a 
40 public or a private key. 
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The extracted set of data may comprise a pseudo-random number which may be used for 
encryption. A plurality of numbers resulting from the computations may be extracted. The 
step of extracting may comprise extracting one or more numbers derived from a number, 
k, of bits of the resulting number, such as the k least significant bits from the resulting 
5 number or numbers, which contributes to the unpredictability of the derived number. The k 
bits extracted may for example be derived by applying a modulus or a logical "and" 
function to the resulting number or numbers. As an alternative to extracting the k least 
significant bits, the step of extracting may comprise extracting k bits at predetermined or 
variable positions in the resulting number. The number k may be an Integer value selected 

10 from in the range between 8 and 128, such as 16-64, such as 24-32. In case a plurality of 
numbers are extracted, the extracted numbers may be derived by means of different 
values of k, which further contributes to the unpredictability of the derived number. The 
extracted number or numbers may be manipulated by means of arithmetic and/or logical 
operations, so as to obtain a combined set of data. One or more of the extracted numbers 

15 and/or the combined set of data may be combined with original data in an arithmetic 
and/or logical operation, so as to encrypt the original data. Similarly, one or more of the 
extracted numbers and/or the combined set of data may be combined with encrypted data 
in a arithmetic and/or logical operation, so as to decrypt the encrypted data and obtain the 
original data. The arithmetic and/or logical operation may comprise an XOR operation, 

20 multiplication or addition. For example, the arithmetic and/or logical operation may 
comprise addition of the original data and the combined set of data for encryption, and 
subtraction of the combined set of data from the encrypted data for decryption. 
Alternatively, the arithmetic and/or logical operation comprises subtraction of the 
combined set of data from the original data for encryption, and addition of the combined 

25 set of data and the encrypted data for decryption. It may be necessary to apply a modulus 
function when subtracting or adding numbers. In case the extracted set of data comprises 
data derived from a plurality of numbers, one set of bits, for example the k least 
significant bits may be extracted from one number, whereas other bits, for example the 
47th - 54th bit in a 64-bit number, may be extracted from the other number. 

30 

In a block-cipher encryption/decryption system, the computations may involve data 
representing a block of plaintext, so that the plaintext and a key Is entered into, e.g., an 
encryption system which gives the ciphertext as an output. The extracted set of data may 
be used to define at least one operation on a block of plaintext in the block-cipher 

35 encryption and decryption system. The method of the first aspect of the invention may be 
applied in a block-cipher algorithm, wherein a block of plaintext is divided into two sub- 
blocks, and one sub-block is used to influence the other, for example where a modified 
version of a first block (or a part thereof) is used to influence the other (or a part thereof), 
e.g., by an XOR function. Such an algorithm is generally referred to as a Feistel Network, 

40 cf. Applied Cryptography by Bruce Schneier, Second Edition, John Wiley & Sons, 1996. In 
such case the first sub-block or the modified version thereof may be transformed by a 
Hash function relying on the method, the Hash function being given a cryptographic key as 
an input. In each round, a new cryptographic key may be given as input to the Hash 
function. Alternatively, the same cryptographic key may be given to the Hash function in 
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all rounds. As a further alternative, the cryptographic key may vary from block to block, 
for example by giving the same cryptographic key as an Input in all rounds for each block, 
or by giving different cryptographic keys as inputs for each block and for each round. 

5 The extracted data may be used as a decryption or an encryption key. In a system, 
wherein computations are performed in two mathematical systems, the extracted set of 
data from one of the systems may be used to generate keys or used as keys for the other 
system. The extracted data may also be used in generation of data representing a digital 
signature, and/or in watermarking of digital data. 

10 

In the method according to the first aspect of the invention, the electronic device may 
comprise an electronic processing unit having a register width, whereby the method may 
comprising the steps of: 

- expressing at least one integer number of a bit width larger than said register width as 
15 at least two sub-numbers each having a bit width which is at most equal to said 

register width, 

- performing at least one of said computations as a sub-computation on each of the sub- 
numbers so as to arrive at at least two partial results, expressed as integer numbers of 
a bit width smaller which is at most equal to the register width of the processing unit, 

20 - concatenating the partial results to yield a representation of a result of said at least 
one computation. 

Analogously, computations on numbers of a width smaller than the register width of the 
processor may also be performed, whereby an operation, for example a logical AND, may 
be performed, so that the upper half of, e.g., a 64-bit register Is not used for computations 
25 on 32-bit numbers. In order to maintain the sign of the number in question, the most 
significant bit of, e.g., the 32-bit number may be copied into the upper 32 bits of the 64- 
bit register. 

The integer numbers usually comprise or represent the fixed-point number or numbers 
30 used in the computations. A fixed-point number expressed in terms of an integer type 
number may represent a real number. 

It should be understood that the method according to the first aspect of the invention may 
be combined with any of the steps discussed below in connection with other aspects of the 
35 invention. 

The invention also relates to a computer program for performing numerical computations 
In a mathematical system comprising at least one function, the computer program being 
adapted to: 

40 - express the mathematical system in discrete terms, 

- express at least one variable of the mathematical system as a fixed-point number, 

- perform said computations in such a way that the computations include the at least 
one variable expressed as a fixed-point number. 
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- obtain, from said computations, a resulting number, tlie resulting number representing 
at least one of: 

- a. at least a part of a solution to the mathematical system, and 

- b. a number usable in further computations involved in the numerical solution of 
5 the mathematical system, 

the computer program being further adapted to: 

- extract a set of data which represents at least one of: 

- 1. a subset of digits of the resulting number, and 

- ii. a subset of digits of a number derived from the resulting number. 

10 

The computer program may further be adapted to perform any of the operations and 
method steps discussed In the present text. The invention also relates to a computer 
readable data carrier loaded with such a computer program, and to a computer comprising 
or being connected to such a computer readable data carrier, the computer comprising 
15 processor means for running the program. 

The invention also relates to a signal comprising an extracted set of data which have been 
derived from computations in a mathematical system, wherein, in order to arrive at the 
extracted set of data : 
20 - the mathematical system has been expressed in discrete terms, 

- at least one variable of the mathematical system has been expressed as a fixed-point 
number, 

- said computations have been performed in such a way that the computations have 
included the at least one variable expressed as a fixed-point number, 

25 - a resulting number has been obtained from said computations, the resulting number 
representing at least one of: 

- a. at least a part of a solution to the mathematical system, and 

b. a number usable in further computations involved in the numerical solution of 
the mathematical system, 
30 whereby the extracted set of data represents at least one of: 

- i. a subset of digits of the resulting number, and 

- ii. a subset of digits of a number derived from the resulting number. 

The invention further relates to a signal comprising an encrypted set of data which has 
35 been derived as a combination of plaintext and at least one set of data extracted from 
computations in a mathematical system, wherein, in order to arrive at the extracted set of 
data: 

- the mathematical system has been expressed in discrete terms, 

- at least one variable of the mathematical system has been expressed as a fixed-point 
40 number, 

- said computations have been performed in such a way that the computations have 
included the at least one variable expressed as a fixed-point number, 

- a resulting number has been obtained from said computations, the resulting number 
representing at least one of: 
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- a. at least a part of a solution to the mathematical system, and 

- b. a number usable in further computations involved in the numerical solution of 
the mathematical system, 

whereby the extracted set of data represents at least one of: 
5 - 1. a subset of digits of the resulting number, and 

- ii. a subset of digits of a number derived from the resulting number. 

It should be understood that any data derived from any method and/or computer program 
of the present invention and any signal containing such data are also covered by the scope 
10 of the appended claims. It should further be understood that any feature, method step, or 
functionality described below in connection with the further aspects of the invention 
discussed below may be combined with the method of the first aspect of the invention. 

In a second aspect, the present invention relates to a method of detecting periodic 
15 behavior in the solution of a mathematical system comprising at least one non-linear 
function governing at least one state variable with respect to at least one independent 
variable, the method comprising: 

- expressing the mathematical system In discrete terms, 

performing computations so as to obtain resulting numbers, the resulting numbers 
20 representing at least parts of solutions to the mathematical system, 

- storing selected solutions in an array. A, in a memory of the electronic device, the 
array being adapted to store a finite number, n+1, of solutions, 

- determining whether at least one of: 

- a current solution, and 

25 - a particular one of said solutions stored in the array 
is substantially identical to another solution stored In the array. 

The steps of performing computations, storing selected solutions, and determining may be 
performed continuously during the computations, i.e. repetitively during the computations, 
such as In each computational step, such as in connection with each iteration. 

30 

If a current solution or a particular one of the solutions stored in the array is substantially 
identical to one or more other solutions stored in the array the solution of the 
mathematical system is likely to show periodic behavior. In case the method according to 
the second aspect of the invention is used in a pseudo-random number generating 
35 method, in particular if it is used in an encryption/decryption method, such periodic 
behavior is undesirable, as it negatively influences the unpredictability of the generated 
pseudo-random numbers or the keystream. By applying the above method, periodic 
behavior may be detected. 

40 The step of determining whether a current solution or a particular one of the solutions 
stored in the array is substantially identical to one or more other solutions stored in the 
array preferably comprises determining whether the solutions are completely identical. 
When solving a mathematical system expressing an array of state variables X, the step of 
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determining may comprise determining whether only some of the entries of X are 
substantially identical. 

In order to save computational time and/or memory, only selected solutions may be stored 
5 In the memory. 

In the method, each entry in the array may contain a solution having an age which is 
growing by array level. A,, 0<l<n, and the method may comprise: 

- at the step of storing selected solutions in the array: storing a current solution at the 
10 O'th level, Ao, In the array. A, thereby overwriting an old value stored at the O'th level 

in the array. A, 

- if a O'th predetermined criterion is fulfilled: transferring the old value to the I'st level 
in the array. A, before the O'th level is overwritten by the current solution, and 

for the 1st level and each further level i In the array: 
15 - If an i'th predetermined criterion for level i Is fulfilled: transferring the old value stored 

at the i'th level to the i+l'st level In the array. A, before the i'th level is overwritten by 

the value transferred from the i-l'st level, 
if the n'th level is to be updated: discarding the old value previously stored at the n'th 
level. 

20 

For each level, i, in the array, the number of times an old value stored at the i'th level has 
been overwritten by a new value without the old value being transferred to the I+l'st level 
may be counted, the i'th predetermined criterion being fulfilled if the old value has not 
been transferred for a predetermined number of times. The predetermined number of 
25 times may be the same for all levels of the array, A, or it may vary between the levels. 
The predetermined number of times for the i'th level of the array. A, may for example be 
dependent on one or more values stored in the array, such as when there occurs a change 
of sign in one or more of the values. 

30 The step of 

determining whether a current solution or a particular one of said solutions stored 
in the array Is substantially identical to one or more other solutions stored in the 
array 

may only be performed when a test criterion is fulfilled. For example, the test criterion 
35 may be fulfilled when the sign of at least one state variable changes from + to -, or from - 
to +, or both. The test criterion may also be fulfilled when there occurs a change of sign of 
at least one derivative of at least one state variable with respect to at least one 
Independent variable, in which case the method further comprises computing the 
derivative. 

40 

In the method, a test value may be computed from the at least one state variable and/or 
from the derivative, the test criterion being based on the test value. The test criterion may 
for example be fulfilled when there occurs a change of sign in the test value or in a 
derivative of the test value, or predetermined values may be provided. 
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The step of performing computations may be performed by applying tfie metfiod of the 
first aspect of the invention, and any step discussed in relation to the first aspect of the 
invention as well as any step discussed below in connection with the methods of the 
5 further aspects of the Invention may be incorporated. 

In a third aspect, the present invention relates to a method of generating a pseudo- 
random number, the method comprising: 
I) expressing a mathematical system in discrete terms, 
10 II) defining a seed value representing at least an initial condition for the mathematical 
system, 

III) expressing at least one variable of the mathematical system as a fixed-point number, 

IV) performing computations including the at least one variable expressed as a fixed-point 
number and obtaining, from said computations, a resulting number, the resulting number 

15 representing at least one of: 

a. at least a part of a solution to the mathematical system, and 

b. a number usable in further computations involved in the numerical solution of the 
mathematical system, 

V) extracting, as the pseudo-random number, a number derived from at least one number 
20 which has occurred during the computations. 

The seed value may be a user-defined value, such as an encryption/decryption l<ey in case 
the method is applied in an encryption/decryption method. 

25 The pseudo-random number may be extracted as a number derived from the k digits of 
the one or more numbers which have occurred during the computations, e.g. the k least 
significant bits or k selected bit from the one or more numbers. 

The method may comprise repeating steps IV) and V) until a given amount of pseudo- 
30 random numbers has been generated. 

A given amount of pseudo-random numbers may be generated and stored in a memory of 
the electronic device as a spare seed value, which may, e.g., be used if periodic behavior 
is detected by the method according to the second aspect of the invention or by another 
35 method. The given amount of pseudo-random numbers may be stored internally in an 
algorithm. 

The method may further comprise a method for detecting periodic behavior according to 
the second aspect of the Invention as discussed above. In that case the method for 
40 generating a pseudo-random number according to the third aspect of the invention may 
comprise, If the step of: 

determining whether a current solution or a particular one of said solutions stored 
In the array is substantially Identical to one or more other solutions stored in the 
array 
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reveals that the current solution or the particular solution is identical to one or more other 
solutions, 

interrupt the pseudo-random-number generation, i.e. interrupting repetition of steps IV) 
and V), 

5 use the spare seed value as the seed value in the step II), 

resume the pseudo-random-number generation, i.e. resuming repetition of steps IV) and 
V). 

Thus, for example, in an encryption/decryption method, a spare encryption/decryption key 
10 may be used if periodic behavior is detected. 

Prior to the step of resuming the pseudo-random number generation, a given amount of 
pseudo-random numbers may be generated and stored, in a memory of the electronic 
device, as a new spare seed value. Each level in the array. A, is preferably reset prior to 
15 step IV), when steps IV) and V) are initiated with a new seed value at step II). 

The method according to the third aspect of the Invention may comprise the steps 
described above in connection with the first aspect of the invention and/or the steps 
described below in connection with the further aspects of the invention. 

20 

In a fourth aspect, the invention relates to a method of encrypting a set of original data 
into a set of encrypted data, the method comprising the steps of: 

A) generating a pseudo-random number by performing the steps of: 

I) expressing a mathematical system in discrete terms, 
25 II) defining an encryption key representing at least an initial condition for the 

mathematical system, 

III) expressing at least one variable of the mathematical system as a fixed-point 
number, 

IV) performing computations including the at least one variable expressed as a 

30 fixed-point number and obtaining, from the computations, a resulting number, the 

resulting number representing at least one of: 

a. at least a part of a solution to the mathematical system, and 

b. a number usable in further computations involved in the numerical solution of 
the mathematical system, 

35 V) extracting, as the pseudo-random number, a number derived from at least one 

number which has occurred during the computations, 

B) manipulating the original data and the pseudo-random number by means of at least one 
of: 

i. an arithmetic operation, and 
40 ii. a logical operation, 

so as to obtain a combined set of data, the combined set of data being the encrypted data. 

Prior to step A), a sub-set of the original data may be separated from the set of data, and 
step B) may be performed on the sub-set of data. This step may be repeated until a 
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plurality of sub-sets which in common constitute the entire set of original data have been 
encrypted. 

The pseudo-random number may be extracted as a number derived from the k bits of the 
5 one or more numbers which have occurred during the computations, e.g. the k least 
significant bits or k selected bits. 

Steps IV) and V) may be repeated until a given amount of pseudo-random numbers has 
been generated. 

10 

A given amount of pseudo-random numbers may be generated and stored in a memory of 
the electronic device as a spare encryption key. For example, a number resulting from or 
occurring in at least one integration or iteration step of the computations may be stored 
as a spare encryption key. The spare encryption key may, e.g., be used if encryption is 
15 interrupted due to the occurrence of periodic behavior in the solution to the mathematical 
system. In case no output of the spare encryption key is needed, it may be stored 
internally in an encryption algorithm. When the method is used for decryption, the spare 
key is a decryption key. 

20 As it appears from the above, the method may comprise a method for detecting periodic 
behavior according to the second aspect of the invention, in which case the method for 
encrypting according to the fourth aspect of the invention may comprise, if the step of 

determining whether a current solution or a particular one of said solutions stored 
in the array is substantially identical to one or more other solutions stored in the 
25 array 

reveals that the current solution or the particular solution is identical to one or more other 
solutions, 

interrupt the pseudo-random number generation, i.e. interrupting repetition of steps IV) 
and V), 

30 use the spare encryption key as the encryption key in step II), 

resume the pseudo-random number generation, i.e. resuming repetition of steps IV) and 
V). 

Prior to the step of resuming the pseudo-random number generation, a given amount of 
35 pseudo-random numbers may be generated and stored in a memory of the electronic 
device as a new spare encryption key. 

Preferably, each level in the array. A, is reset prior to step IV), when steps IV) and V) are 
initiated with a new seed value at step II). 

40 

The method for encrypting according to the fourth aspect of the invention may further 
comprise any of the steps discussed above in connection with the methods of the first, 
second and third aspects of the invention, and/or any of the steps discussed below in 
connection with the further aspects of the invention. 
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In a fifth aspect, the invention relates to a method of decrypting a set of encrypted data 
which has been encrypted by the method according to the fourth aspect of the invention, 
the method of decrypting according to the fifth aspect comprising the steps of: 

a) performing step A) as defined above in connection with the encryption method, so as to 
extract the same pseudo-random number as extracted in step V) of the encryption 
method, 

b) manipulating the encrypted data and the pseudo-random number by means of 
arithmetic and/or logical operations, so as to obtain the original, i.e. decrypted, version of 
the data. 

Prior to step a), a sub-set of the encrypted data may be separated from the set of 
encrypted data, and in case the sub-set of data has been encrypted by the above 
encryption method, the method of decrypting may comprise performing steps a) and b) on 
the sub-set of data. This step may be repeated until a plurality of sub-sets which in 
common constitute the entire set of encrypted data have been decrypted. 

Any of the steps of the encryption method may be applied in an Identical manner when 
decrypting the encrypted data as during the previous sequence of encrypting the original 
data. 

Any steps discussed above in connection with the first, second, third and fourth aspects of 
the invention may further be applied in the method of decrypting according to the fourth 
aspect of the invention. Further, the step of the fifth aspect of the invention may be 
incorporated in the further aspects of the invention discussed below. 

In a sixth aspect, the present Invention relates to a computer program for encrypting and 
decrypting a set of data, the computer program being adapted to run in an encryption 
mode and in a decryption mode, the computer program being further adapted to: 
i) generate a pseudo-random number In a reproducible way by performing the steps of: 

- expressing a mathematical system in discrete terms, 

- expressing at least one variable of the mathematical system as a fixed-point 
number, 

- performing computations Including the at least one variable expressed as a 
fixed-point number, 

- obtaining, from the computations, a resulting number, the resulting number 
representing at least one of: 

a. a part of a solution to the mathematical system, and 

b. a number usable in further computations involved In the numerical solution 
of the mathematical system, 

- extracting, as the pseudo-random number, a number derived from at least one 
number which has occurred during the computations, 

11) manipulate the data and the pseudo-random number by means of at least one of: 
- an arithmetic operation, and 
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- a logical operation, 

so as to obtain a combined set of data, wherein: 

- the combined set of data represents an encrypted version of the data in case the 
computer program is run in encryption mode, 

5 the combined set of data represents a decrypted version of the data in case the computer 
program is run in decryption mode. 

The step of manipulating may comprise any logical and/or arithmetic function described 
above. In case an XOR operator is used for manipulating the data, the encryption and 
10 decryption modes may comprise identical steps. 

The step of generating a pseudo-random number may further comprise any of the steps 
discussed above in connection with the method according to the third aspect of the 

invention. 

15 

The computer program of the sixth aspect of the invention may be adapted to perform any 
step discussed above with the first, second, third, fourth and fifth aspects of the invention, 
as well as any step discussed below in connection with the further aspects of the Invention. 

20 The invention further relates to a computer readable data carrier loaded with a computer 
program according to the sixth aspect of the invention, and to a computer comprising or 
being connected to such a computer readable data carrier, the computer comprising 
processor means for running the program. 

25 In a seventh aspect, the invention relates to a method of generating a pseudo-random 
number, the method comprising, in one instance: 

I) expressing a mathematical system in discrete terms, 

II) defining a seed value representing at least an initial condition for the mathematical 
system, 

30 III) expressing at least one variable of the mathematical system as a fixed-point number, 

IV) performing computations including the at least one variable expressed as a fixed-point 
number and obtaining a resulting number, the resulting number representing at least one 
of: 

a. a part of a solution to the mathematical system, and 
35 b. a number usable in further computations involved in the numerical solution of the 
mathematical system, 

V) extracting, as the pseudo-random number, a number derived from at least one number 
which has occurred during the computations, 

performing steps I) - V) in a plurality of instances in parallel. 

40 

Computations in the two or more instances may be performed either at the same time, or 
successively. Thus, the computations in the two or more instances may be performed by 
executing instructions which process a plurality of computations at the same time, or by 
executing instructions which only process a single computation at a time. 
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Thus, pseudo-random number generation in a plurality of instances in parallel may, in 
some cases, be faster than if the steps are performed in one instance only, in particular if 
the hardware on which the method is executed supports parallel processing. Further, by 
5 coupling the two or more instances, a larger key length in encryption may be applied than 
if only one instance were used. For example, one part of an encryption key may be used 
for a first instance, and another part of the encryption key may be used for a second 
instance. 

10 |v|athematical systems of arbitrarily high dimension may be constructed by coupling 

systems of lower dimension. For example, N logistic maps can be coupled, yielding an N- 
dimensional system. The coupling mechanism can be engineered by including either linear 
or non-linear coupling functions in the N different maps corresponding to the N different 
variables. The coupling function in the map governing one variable may or may not depend 

15 on all other variables. Alternatively, the coupling can be carried out by substituting one of 
the N variables into one or more of the N-1 remaining maps. 

Two or more logistic maps may be coupled through linear coupling terms. In the example 
shown below, the parameters ei and zz in front of the coupling terms control the strength 
20 of the coupling, i.e. the degree of impact that each one of the two logistic maps has on the 
other one. 

Xn.J r^ix„{l-xj+si{y„-xjl 

YnJ kyn(l-yn)+e2(Xn-yn)J 

Numbers or data may be transmitted between the plurality of instances at least while 
25 performing step IV) for each of the instances. The same applies to step V). 

The method may comprise combining, by use of arithmetic and/or logical operations, a 
plurality of pseudo-random numbers extracted at step V) in each of the instances into a 
common pseudo-random number. 

30 

Parameter and/or variable values, or parts thereof, may be exchanged between the two 
instances. Thus, for example Xn+i of one instance and Xn+i of another instance may be 
exchanged after each iteration step, or Xn+i of one instance may be exchanged with yn+i of 
another instance. Likewise, the step length Atn may be exchanged between the two 
35 instances. The exchange of variable or parameter values may also be achieved by 

performing logical and/or arithmetic operations on a value of a first instance before using 
that value for modifying a value of a second instance. 

The method according to the seventh aspect of the invention may comprise any step 
40 discussed above or below in connection with the other aspects of the invention. 
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In an eighth aspect, the invention relates to a method of performing numerical 
computations in a mathematical system comprising at least one function, the method 
comprising the steps of: 

- expressing the mathematical system In discrete terms, 

5 - expressing at least one variable of the mathematical system as a fixed-point number, 

- performing said computations in such a way that the computations include the at least 
one variable expressed as a fixed-point number, 

- obtaining, from said computations, a resulting number, the resulting number 
representing at least one of: 

10 a. at least a part of a solution to the mathematical system, and 

b. a number usable in further computations Involved In the numerical solution of the 
mathematical system, 
the step of performing computations comprising: 

- repeatedly computing a solution Xn+i based on at least one previous solutions X^, 

15 m<n+l, whereby the step of performing computations is initiated based on at least one 
initial condition, Xo, of the state variable, X, 
the method further comprising: 

- providing a cryptographic key as an input to said computations, whereby the 
cryptographic key Is used in generation of the Initial condition Xq. 

20 

It should be understood, that, in the present context, the term "previous solutions" also 
covers the current solution, Xn+i- 

Any and all comments and discussions herein set forth in connection with the other aspects 
25 of the invention also applies to the method of the eighth aspect of the invention. 

In a ninth aspect, the Invention relates to a method of determining an Identification value 
for identifying a set of data, the method comprising performing numerical computations in 
a mathematical system comprising at least one function, the method comprising the steps 
30 of: 

- expressing the mathematical system In discrete terms, 

- expressing at least one variable of the mathematical system as a fixed-point number, 

- performing said computations in such a way that the computations include the at least 
one variable expressed as a fixed-point number, 

35 - obtaining, from said computations, a resulting number, the resulting number 
representing at least one of: 

a. at least a part of a solution to the mathematical system, and 

b. a number usable in further computations Involved In the numerical solution of the 
mathematical system, 

40 whereby a representation of at least part of the set of data Is used in said computations, 
the method further comprising: 

- extracting, as said Identification value, at least a part of said resulting number. 
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Thus, the method of the ninth aspect of the invention may be regarded a Hash function or 
Hash algorithm which have been discussed in detail above. The identification value may be 
constituted by a number of extracted numbers which have been extracted at different 
computational stages in the numerical computations. Extraction may occur at each 
5 computational step or at each iteration step, or it may occur only at selected 
computational stages. 

The term "identification value" may be a hash value or a cryptographic check-sum which 
identifies the set of data, cf. for example Applied Cryptography by Bruce Schneier, Second 
10 Edition, John Wiley & Sons, 1996. In case a cryptographic key is used as a seed value for 
the computations, the hash function is referred to as a MAC function (Message 
Authentication Code). 

The mathematical system may comprise a differential equation, such as a partial 
15 differential equation or an ordinary differential equation, or a discrete mapping, such as an 
area-preserving map or a non area-preserving map. The mathematical system may 
comprise at least one non-linear mapping function governing at least one state variable X. 

A non-linear mapping function may for example comprise a logistic map of the form 
20 Xn+i=Axn(l-Xn), whereln A is a parameter, Xn+i is the value of state variable x at the 

(n+l)'th stage in the computations, and Xp is the value of state variable x at the n'th stage 
in the computations. 

The logistic map may be modified into the form Xn+i=AXn(l-Xn)+e(Xn-mn), wherein A and e 
25 are parameters, Xn+i is the value of state variable x at the (n+l)'th stage in the 

computations, Xn is the value of state variable x at the n'th stage in the computations, and 
mn contains a representation of an n'th portion of the set of data. 

A cryptographic key may be used for at least partially determining at least one of the 
30 following: A, e and an initial value Xq of state variable x. 

The mathematical system may comprise a set of non-linear mapping functions, such as: 
- an Anosov map of the form: 



The mathematical system may comprise at least one non-linear differential equation 
and/or a set of non-linear differential equations. 

40 




35 - a Henon map of the form: 
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Preferably, the mathematical system has at least one positive Lyapunov exponent, 
whereby a certain degree of irregular or chaotic behavior is achieved, whereby 
randomness properties of the system and security are enhanced. 

5 At least one Lyapunov exponent may be computed at least once during the mathematical 
computations in order to determine whether the mathematical system exhibits chaotic 
behavior. If this is not the case, e.g. if the computed Lyapunov exponent is not positive, 
the computations may be interrupted and resumed from other initial values and/or other 
parameters. 

10 

The at least non-linear differential equation preferably governs at least one state variable, 
X, which is a function of at least one independent variable, t. The set of non-linear 
differential equations may for example comprise a Lorenz system. 

15 Any and all comments and discussions herein set forth in connection with the other aspects 
of the invention also applies to the method of the ninth aspect of the invention. 

In a tenth aspect the present invention relates to a method of, performing numerical 
computations in a mathematical system comprising at least one function, the method 
20 comprising the steps of: 

- expressing the mathematical system in discrete terms, 

- restricting the range of at least a selected variable of said function, the range being 
sufficiently narrow so as to exclude values which the selected variable, by virtue of said 
function, would assume if not restricted by said range, 

25 - performing computations so as to obtain a resulting number, the resulting number 
representing at least one of: 

a. a part of a solution to the mathematical system, and 

b. a number usable in further computations involved in the numerical solution of the 
mathematical system, 

30 - when the computations result in a value for the selected variable which is beyond the 
range, assigning a value within the range to the selected variable. 

For example, if the upper bits of the value, which is beyond the range, are truncated, the 
step of assigning a value within the range may be seen as a modulus function. The steps 
35 of the method of the tenth aspect of the invention may thus provide deliberate overflow, 
e.g. in order to enhance randomness properties of an encryption/decryption system and/or 
in order to make it more difficult to derive Information about internal states of the 
mathematical system from encrypted data. 

40 Any and all comments and discussions herein set forth in connection with the other aspects 
of the invention also applies to the method of the ninth aspect of the invention. In 
particular, any and all comments set forth in connection with encryption and decryption 
apply, and the method of the tenth aspect of the invention analogously applies to any and 
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all aspects of the present invention. In particular to aspects related to encryption and 
decryption. 

The method of the tenth aspect of the Invention may thus be a part of a pseudo-random 
5 number generating method which, e.g., generates pseudo-random numbers for use in at 
least one of encryption and decryption. The mathematical system preferably has at least 
one positive Lyapunov exponent. 

In an eleventh aspect, the present invention provides a method of performing numerical 
10 computations in a mathematical system comprising at least one function, the method 
comprising the steps of: 

- expressing the mathematical system in discrete terms, 

- expressing at least one variable of tine mathematical system as an integer number, 

- placing an imaginary decimal separator in said integer number, whereby the integer 
15 number represents a real number, 

- performing computations including the at least one variable expressed as an integer 
number so as to obtain a resulting number, the resulting number being expressed as 
an Integer number, 

- positioning the imaginary decimal separator in the resulting number at a 
20 predetermined position by performing at least one of the steps of: 

- correcting the position of the imaginary decimal separator in the integer number, 
and 

- placing an imaginary separator in the resulting number. 

25 The resulting number Is usually a fixed-point number having a fixed position of the decimal 
separator. Alternatively, the position of the decimal separator in the resulting number may 
be corrected after the computation has been completed. A third possibility is to correct the 
position of the decimal separator before and after performing the computation. This may 
be relevant if not all positions to the left of the decimal separator in the resulting number 

30 are used, and it is desired to maintain a relatively higher resolution in the computations 
than the resolution of the resulting number. For example, the resulting number is desired 
to have a S(10.21) format. Thus, the addition of, say, two S(7.24) format numbers may be 
performed in a S(8.23) format which then is converted to the S(10.21) format resulting 
number. Thereby, the carry from the second and third least significant bits in the 

35 arguments may influence the result. 

Finally, for some computations no correction of the position of any decimal separator may 
be required or needed. 

40 The correction of the position of a decimal separator are usually performed by means of 
shift operations. 

Any and all comments and discussions herein set forth in connection with the other aspects 
of the invention also applies to the method of the ninth aspect of the invention. 
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In a twelfth and broadest aspect, the present invention provides a method of performing 
numerical computations in a mathematical system comprising at least one function, the 
method comprising the steps of: 
5 - expressing the mathematical system in discrete terms, 

- expressing at least one variable of the mathematical system as a fixed-point number, 

- performing said computations in such a way that the computations include the at least 
one variable expressed as a fixed-point number, 

- obtaining, from said computations, a resulting number, the resulting number 
10 representing at least one of: 

a. at least a part of a solution to the mathematical system, and 

b. a number usable in further computations involved in the numerical solution of the 
mathematical system. 

15 Any and all comments and discussions herein set forth in connection with the other aspects 
of the invention also applies to the method of the ninth aspect of the invention. 

In a thirteenth aspect, the invention provides a circuit for performing numerical 
computations in a non-linear mathematical system comprising at least one function, the 

20 circuit being designed or programmed so that the mathematical system, in the circuit or in 
the computer program code, is represented in modified terms in such a way that at least a 
selected one of the numerical computations involves an integer operation, whereby said 
selected numerical computation in a non-modified representation of the mathematical 
system would require one or more floating point operations or controlling the positioning of 

25 a decimal separator in one or more fixed-point numbers, the circuit being designed or 
programmed so that said selected computation is substituted by at least one substitute 
computation on one or more integer numbers, whereby the mathematical system, in the 
circuit or in the computer program code, is represented in such a way that the at least one 
substitute computation requires no positioning of an imaginary decimal separator. 

30 

The mathematical system may exhibit chaotic behavior. 

Thus, for example, the computations: 
Xn+i=Xn+yn and 

35 yn+l = Xn+2yn 

may be performed by first computing Xn+i. Then, the expression for yn+i may be computed 
as: 

yn+l = Xn+i+yn 

whereby the computational step of multiplying yn by 2 may be omitted. 

40 

Thus, by performing the substitute computa tions, computational time may be saved. 

Likewise, the invention also provides method of, in an electronic circuit, performing 
numerical computations in a non-linear mathematical system comprising at least one 
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function, the nnethod comprising, in the circuit or in a computer program segment 
according to which the circuit operates, the steps of: 

- representing the mathematical system in modified terms in such a way that at least a 
selected one of the numerical computations involves an integer operation, whereby 

5 said selected numerical computation in a non-modified representation of the 

mathematical system would require one or more floating point operations or controlling 
the positioning of a decimal separator In one or more fixed-point numbers, 

- substituting said selected computation by at least one substitute computation on one 
or more integer numbers, whereby the mathematical system. In the circuit or In the 

10 computer program code, is represented in such a way that the at least one substitute 
computation requires no positioning of an imaginary decimal separator, 
performing said substitute computation. 

BRIEF DESCRIPTION OF THE DRAWINGS 

15 

Fig. 1 is an Illustration of a sequence for encrypting, transmitting and decrypting electronic 
data. 

Fig. 2 is an illustration of an encryption sequence in a block cipher system, 

20 

Fig. 3 is an Illustration of an encryption sequence in a stream cipher system. 

Fig. 4 Is an illustration of the key elements In an encryption/decryption algorithm relying 
on various aspects of the invention, 

25 

Fig. 5 is a plot of a numerical solution to a Lorenz system. 

Fig. 6 is an illustration of key extension by padding, 

30 Fig. 7 illustrates a possible method of simultaneously computing two or more instances of 
Identical or different chaotic systems. 

Fig. 8 Illustrates the principle of performing a check for periodic solutions, 

35 Fig. 9 shows a mathematical system with a period solution. 

Fig. 10 illustrates transport between levels in the coordinate cache which stores previously 
calculated coordinates, 

40 Figs. 11-13 illustrate various criteria for the detection of periodic solutions. 

Fig. 14 contains an illustration of a method for multiplication of 16-bit numbers on an 8-bit 
processor. 
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Figs. 15-22 are flow charts showing the operation of one embodiment of an encryption 
method according to the present invention. 

DETAILED DESCRIPTION OF THE DRAWINGS 

5 

Fig. 1 is a general illustration of a sequence for encrypting, transmitting and decrypting 
digital data. Fig. 2 is an illustration of an encryption sequence in a block cipher system, 
and Fig. 3 is an illustration of an encryption sequence in a stream cipher system, block 
cipher and stream cipher systems being discussed in the above discussion of the 
10 background of the invention. 

A method and algorithm for encrypting/decrypting data will now be described as a 
preferred embodiment of the various aspects of the invention. The algorithm is applicable 
for most purposes in data encryption/decryption. However, the nature of the algorithm 
15 favours encryption of data streams or other continuous data, such as large files, live or 
pre-recorded audio/video, copyrighted material (e.g. computer games or other software) 
and data for storage (e.g. backup and/or transportation). Furthermore, the speed of the 
algorithm makes it particularly suitable for these purposes. Because of the calculation 
method, the algorithm is also useable on very small processors. 

20 

The algorithm relies on a Pseudo-Random Sequence Stream Cipher system (PRSSC). 
PSSRC systems are characterized by a pseudo-random number generator (the content of 
the outer boxes on Fig. 4), which generates a sequence of data, which is pseudo-random, 
based on a binary key. This sequence, the so-called keystream, cf. Fig. 4, is used for the 
25 encryption and decryption. The keystream is unique for each possible key. 

Applying the logical XOR-function (stated in the figure by the ©-symbol) on the plaintext 
and an equal amount of keystream encrypts the plaintext. The output of the XOR-function 
is the ciphertext. Applying the same approach once more on the ciphertext decrypts it into 
30 plaintext. The decryption will only reveal the encrypted plaintext if the key used for the 
decryption is fully identical to the key used for the encryption. 

The integrity of the encrypted data is lying in the key capable of decrypting the ciphertext. 
Therefore it must be difficult to guess the key. To ensure this, the basic design of the 
algorithm is using a key of at least 128 bit. A key-size of 128 bit gives approximately 
35 3.4- 10^^ different keys. 

The algorithm uses a system, which exhibits chaotic behaviour, such as a Lorenz system, 
which consists of the following three ordinary differential equations: 

dy 

f = xy-bz 

40 where a, r, b are parameters, and x, /, z are state variables. 
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Fig. 5 shows a plot of a numerical solution to a Lorenz system. 

The following parameter criteria should be satisfied for chaos to occur in the system: 

5 (a-b-l)>0 , r>l, r>a^^^^^, o,r,b>0 
[c-b-l) 

Even then, not all solutions will be chaotic. In the parameter space, there will be so called 
periodic windows, referring to combinations of parameters, which give rise to periodic 
solutions. Before implementing the system, analysis of the parameter-space will be 
performed using calculation of a Lyapunov exponent. Generally, a positive Lyapunov 
10 exponent indicates that the solution to the mathematical system is chaotic, cf. Edward Ott, 
Chaos in Dynamical Systems, Cambridge University Press 1993. 

The parameters are typically determined from a seed value, such as an encryption key or a 
part of an encryption key. Preferably, algorithms embodying the method of the present 

15 invention are designed so that only parameter values within predefined intervals are made 
possible, whereby it is ensured that the probability of the system having a positive 
Lyapunov exponent is high. Accordingly, the mathematical system will have a high 
probability of exhibiting chaotic behavior. The Lyapunov exponent may additionally or 
alternatively be determined at the beginning or during the mathematical computations, so 

20 as to be able to detect non-chaotic behavior of the solution to the mathematical system. 

The mathematical system could as well be another continuous system (such as the Rossler 
system) or a discrete map (such as the Henon map). 

25 The integration is performed using a numerical integration routine. Provided an initial 
condition and an integration step length, the numerical integration routine calculates the 
solution at discrete mesh points, e.g. by using the Euler method or a Runge-Kutta method. 
Using the Euler method to express the Lorenz equations in discrete terms, the solution can 
be computed from the following equations 

30 Xn.i =Xn + (a(y„-xJ).At, 

yp.i = Vn + (xn(r - zj - y„)- Aty 

The calculations are performed using fixed-point numbers which are described below. 

During numerical integration of a system of differential equations, the continuous non- 
dependent variables (such as time t or space s) are discretlzed. This process refers to 
35 replacing the continuous interval [a;b] with a set of discrete points.In such a system, 
AT=(Atx, Aty, AtJ is usually referred to as the step length of the integration or the 
integration step. 

Fig. 7 Illustrates a possible method of simultaneously computing two or more instances of 
40 the same system or different systems, such as chaotic systems. The method confers 
higher computational speed and improved security, and a larger key may be used. 
Preferably there should be some kind of communication or coupling between the two 
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systems, like for example exchange of step length, such as exchange of Atx, Aty, and/or 
Atz. 

The Internal variables are In the basic design 32 bits wide each, but any variable width 
5 could be used. When using the Lorenz system, there are 6 internal variables (3 state 
variables and 3 parameters). Thus, 192 bits (in the basic design) are used to represent an 
internal state of the generator given by a set of the Internal variables. The padding of the 
128 bits key up to 192 bits should be done In such a way as to avoid illegal values, i.e. to 
ensure that all variables contain allowed values, and as to avoid that bits from the key are 
10 ignored. The padding may include inserting predetermined values of zeros and ones or 
repetitions of bits from the key. Fig. 6 contains an illustration of key extension by padding. 

The integration may be performed with variable time steps, which e.g. can be calculated 
from any one of the state variables. In the basic design, the step length At varies in each 
15 integration step. This variation is coupled to the state variable X. 

The keystream is extracted from some of the data related to the state variables. This may 
be done by extracting the 8 least significant bits from the y variable or by collecting some 
of the data wiped out in the calculations; e.g. from one or more of the multiplications 
20 performed in the calculation of one step. 

Usually, calculations on a chaotic system are performed on computers using floating-point 
variables. However, this method introduces problems. One problem is that the use of 
floating-point variables may cause generation of different keystreams on different 
25 computers even If the same key is used, because of the slight differences in the 
implementation of floating-points on different computer systems. 

Therefore fixed-point variables are used. The fixed-point variable is based on the integer 
data type; which is implemented identically on various computer systems. To express 
30 numbers, such as real numbers, digits after the decimal point are needed, the decimal 
point being artificially located somewhere else than at the end of the number (e.g. 12.345 
instead of 12345). 

To ensure proper operation of the algorithm, some tests should preferably be performed. 
35 Some of these tests are performed at run-time, and others are performed at design-time. 

As a part of the initialization process, an amount of keystream equal to the complete data 
content of the state variables (e.g. 192 bits) or equal to the amount of a complete key 
(e.g. 128 bits) are generated using the algorithm and saved, in case the key has to be 
40 reloaded due to detection of periodic solutions or stationary points. In that case, the saved 
sequence is loaded as a new key, and the Initialization, including extraction of extra key, is 
redone. 
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Do to the finite representation of nunnbers on a computer, any numerical solution will be 
periodic. However, some keys may result in keystreams having a rather small period. 
. This is undesirable as it may compromise the security of the system. Therefore the 
present invention comprises an algorithm for detecting such periodic solutions . This 
5 algorithm watches the sign of a variable or the slope of a variable. When using the Lorenz 
system, the check is performed on x. When the sign changes from minus to plus (or plus 
to minus or just alters) the position check is performed (the position check can also be 
performed after ail iterations). The position check compares the complete set of state 
variables with buffered sets from earlier. If a complete match is found, a periodic solution 
10 is detected. 

Stationary points of a dynamical system are sets of state variables which remain 
unchanged during iteration. Such stationary points may be detected by comparing the 
current set of state variables with the last set, or by checking if the slopes of all of the 
15 variables are zero or by checking if both the current slope of one variable and its previous 
slope are zero. 

Chaotic systems may, for one reason or another, enter into periodic solutions. This has to 
be detected and corrected In order not to compromise the security of the system. If the 
solution of the system becomes periodic, encryption may preferably be stopped, as the 
20 extracted number from the solution of the mathematical system will also be periodic and 
hence not pseudo-random. The test for periodic solutions includes comparing coordinates 
of the solution with previously calculated coordinates. If a complete match is found, the 
system has entered a periodic solution. 

25 To reduce the amount of memory required to store previously calculated coordinates, and 
to reduce the processing time required to test the coordinates, only selected coordinates 
are stored in the coordinate cache. To reduce the processor time required to test for 
periodic solutions, the test is only performed when the coordinates meet certain criteria. 
Fig. 8 illustrates the principle of performing a check for periodic solutions. 

30 

Fig. 9 shows a mathematical system with a period solution, more specifically a two- 
dimensional non-linear system with a periodic solution. The system Is deterministic 
meaning that the solution is completely specified by its initial conditions. In theory, the 
solution will be continuous, thereby consisting of infinite many points. When solving the 

35 system numerically, the time-interval is discretized, and the solution is calculated at these 
points. The numerical solution to a mathematical system is simply a sequence of 
coordinate sets. If we consider a two-dimensional system, then the solution is specified at 
a number of points (x,y), illustrated by dots on the curve in Fig. 9. The deterministic 
nature of the system implies that if the solution ever hits a point, which it has visited 

40 previously, the solution is periodic and will keep being periodic. This property Is employed 
in the present test. 

In order to test for periodic solutions during numerical integration, we have to compare the 
present calculated coordinate set with the previous values. In order to do this, the 
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coordinate sets are stored as they are calculated. This storage works like a queue and is 
referred to as the coordinate cache. A calculated coordinate set is compared to every 
coordinate set in the coordinate cache. If a complete match (all values in the two 
coordinate sets are equal) Is found, the system is in a periodic state. If the test is passed 
5 without a complete match, no periodic behavior is detected, and the calculations may 
continue. Before the calculations continue, the tested coordinate is added to the cache, for 
further comparisons. 

It will require too much memory and processor time to keep all calculated coordinate sets 
10 of the system in the cache. Hence, only selected coordinates are stored, as illustrated in 
Fig. 10. 

The cache consists of a number of levels, each containing a coordinate of age growing by 
level. After each test or after a number of tests, the tested coordinate is inserted at level 
15 0. Every second time (or any other time) a coordinate is inserted into level 0, the old value 
is inserted into level 1 before it is overwritten. The method for inserting coordinates at the 
other levels Is similar; every second time a value is inserted at any level, the old value Is 
transported to the next level before it Is overwritten at the current level. 

20 This method results in a coordinate cache containing coordinates with an exponentially 

growing age. Level 0 stores coordinates with an age of 1 or 2 (the prior checked coordinate 
or the one before the prior checked coordinate), level 1 stores coordinates with an age of 3 
- 6 (3 at the test after the coordinate has been inserted, and then growing to 6 before the 
next coordinate is inserted), level 2 stores coordinates with an age of 7 - 14, and so on. 

25 

The pseudo program code in Example I shows how the cache may be implemented. 

Because the age of the levels is varying, a periodic solution may not be found immediately. 
A periodic solution having a period length of 11 tests will be detected at level 2 of the 
30 cache, because the age of the data at level 2 is between 7 and 14. However, the test will 
not detect the periodic solution before the coordinate is exactly 11 tests old. Therefore up 
to 12 tests may be performed before the periodic behavior is detected. In this case, it 
means that the system may pass through up to 12/11 period before it is detected. 

35 A possible expansion to the algorithm described above is a varying TransportAge, cf. the 
pseudo code program in Example I. If some coordinates can be Identified as more likely to 
take part of a periodic solution then others, the InsertCoordinate procedure, cf. the pseudo 
code program In Example I, may recognize them, and use a reduced value of TransportAge 
for those. This will favor the critical coordinates in the cache, and make the data in cache 

40 become younger if many critical coordinates are stored. The younger age of data in the 
cache makes a periodical solution detectable after less iteration within the periodic 
solution. 
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The test may be performed after each iteration. That means every time we have calculated 
a new coordinate set of the solution. However, to save processor resources, the test 
should instead be performed at a periodic interval. I order to mal<e the test worl<; the test 
must be performed when the solutions is at a recognizable position. One way to mal<e sure 
5 the test Is performed at the same position each time is to find a recognizable point in the 
graphical plot of the solution. To do so, the system has to be analyzed for its characteristic 
behavior, and a criterion has to be chosen. For the above shown non-linear system, the 
examples of criteria illustrated in Figs. 11-13 are useable. 

10 First possible criterion, as illustrated in Fig. 11 is change of sign of x from minus to plus. 
That is, when the sign of x changes from minus to plus, the test is performed. The second 
criterion is change of sign of dx from plus to minus, as illustrated in Fig. 12. The third 
criterion is change of dy from plus to minus, as illustrated in Fig. 13. 

15 When choosing the criterion, two considerations have to be made. First of ail, aii possible 
periodic solutions shall be able to fulfil the criterion. Secondly, to reduce processor load, 
the criterion with fewest tests should be selected. 

At design time some extra tests can be performed on the systems and the chosen 
20 parameter spaces, to ensure the efficiency, stability and correctness of the system. These 
tests may include calculations of Lyapunov exponents, using Gram-Schmidt 
orthogonalization, as well as statistical analysis of the keystream. 

EXAIVIPLE I 

25 

The following pseudo code program shows an example of a program for encrypting and 
decrypting data according to the invention which encrypts one byte at a time. The program 
worl<s in accordance with the flow charts of Figs. 15-22. The program worl<s with 32-bit 
registers. Fig. 15 illustrates a method which encrypts a file containing data. Figs. 16-22 
30 correspond to those functions shown in the pseudo-code below which relate to check for 
periodic solution and to a stream-cipher using the Lorenz system. 

Pseudo-code for fixed-point library 

35 FloatToFixedPoint: Converts a floating-point number, X, into a fixed-point number. The 
result of the function has the format S(a.b) or U(a.b) 

fixedpoint FloatToFixedPoint ( float X) 
{ 

40 return X*2*; // b is the nioinber of bits after the decimal 

// separator in the fixed-point 
// representation of the result 

} 
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FixedPointToFloat: Converts a fixed-point number, X, having the format S(a.b) or U(a.b), 
into a floating-point number. 

float FixedPointToFloat (fixedpoint X) 
5 { 

return X*2'''; // b is the nxiinber of bits after the decimal 

// separator in the fixed-point 
// representation of x 

} 

10 

ConvertFixedPoInt: Converts an input fixed-point number, X, having the format S(a.b) or 
U(a.b), into the requested format, S(c.d) or U(c.d). The result is signed if the argument, X, 
is signed, and vise versa. 

15 fixedpoint ConvertFixedPoInt (fixedpoint X) 
{ 

return X*2'*'''; // b is the number of bits after the decimal 

// separator in the fixed-point 
// representation of X. d is the number of 
20 // bits after the decimal separator in the 

// fixed-point representaiton of the result 

} 



Addition and subtraction of fixed-point numbers in the same format are performed using 
25 ordinary integer addition and subtraction functions. 

MulFixedPoint: Multiply two fixed-point numbers, X and Y. X has the format S(a.b) or 
U{a.b) and Y has the format S(c.d) or U(c.d). The resulting fixed-point number, has the 
format S(e.f) or U(e.f). The result as well as X and Y must all be either signed or unsigned 
30 values and stored in 32-bit registers. ">>" is the arithmetic shift right for signed 
multiplication and logical shift right for unsigned multiplication. 

fixedpoint MulFixedPoint (fixedpoint X, fixedpoint Y) 
{ 

35 fixedpoint64 Temp; // A 64-bit register to hold the intermediate 

// result 



Temp = X*Y; // Two 32 -bit values X and Y are multiplied 

// into the 64 -bit intermediate result 

return Temp » b+d-f; // b and d are the number of bits after the 
// decimal separator in the fixed-point 
// representation of X and Y respectively. 
// f is the number of bits after the decimal 
// separator in the fixed-point 
// representation of the result. 
// The conversion of the value of a 64-bit 
// register into a 32 -bit register is 
// performed by ignoring the 32 most 
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// significant bits and copying 

// the 32 least significant bit into the 

// destination register. 

} 

5 

Pseudo-code for check for periodic solution 

Global constants in the sub-system for checlcing for periodic solutions. The code is able to 
detect periods when the number of inflexions is lesser than TransportAge'^*^'^'"'^"^ (Note 
10 that there can only be half as many inflexions as iterations.) 

const int CacheDepth = 32; 
const int Transport Age =2} 
const int SpareSeedLength = 16; 

15 

The sub-system for checking for periodic solutions has a number of global variables e.g. to 
store the cache of old coordinates and the spare key to be loaded If a periodic solutions is 
found. 

20 f ixedpoint xCache [CacheDepth] ; 
f ixedpoint yCache [CacheDepth] ; 
f ixedpoint zCache [CacheDepth] ; 
int CoordinateAge [CacheDepth] ; 

25 char SpareSeed [SpareSeedLength] ; 
fixedpoint xOld, xOldOld; 

SetupCoordinateCheck: Set up the sub-system for checking for periodic solutions. All 
positions of the coordinate cache is reset to (x, y, z) = (0, 0, 0), since (0, 0, 0) Is a 
30 stationary point for the Lorenz system, and therefore is a coordinate value indicating that a 
reload of the key is needed. 

void SetupCoordinateCheck () 
{ 

35 int i; 

// Clear coordinate cache 
for (i=0; i<CacheDepth; i+-t-) 
{ 

xCache[i] = 0; 
40 yCache[i] = 0; 

zCache [i] = 0 ; 
CoordinateAge [i] := 1; 

} 

45 xOld =0; // Variables for detecting when to check are 

xOldOld =0; // reset 

// Prepare spare seed 
for (i=0; i<SpareSeedLength ;i+-i-) 
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SpareSeed[i] = 0; 

// Generate the spare key- 
Crypt (SpareSeed, SpareSeed+SpareSeedLength- 1) ; 

5 } 

InsertCoordinate: Inserts a coordinate at a certain level of the coordinate cache if the age 
of the previous values stored at that level has passed a certain threshold value. Before the 
old coordinate at that certain level is overwritten, is it inserted at the next level. 

10 

void XnsertCoordinate(fixedpoint x, fixedpoint y, fixedpoint z, int Level) 
{ 

// Transfer current coordinate at this level 
// ("Level") to next level ("Level"+1) , if 
15 // its age is equal to "TransportAge" , unless 

// this level is the highest level possible. 

if ( (Coordinate&ge [Level] >= TransportAge) && (Level+1 < CacheDepth) ) 

{ 

InsertCoordinate (xCache [Level] , yCache [Level] , zCache [Level] , Level+1); 
20 CoordinateAge [Level] = 0; 

} 

xCache [Level] = x; // Insert the new coordinate 

yCache [Level] = y; 
25 z Cache [Level] = z; 

// Increase the age counter for this level 

CoordinateAge [Level] ++! 

} 

30 

CheckCoordinate: Checks if the x variable solution curve has an inflexion, for which the 
sign of the slope of the curve changes from positive to negative. If not, the function exits. 
Otherwise the function checks if an equal coordinate is stored In the coordinate cache. If a 
match is found, the function loads the spare key Into the algorithm. Finally, the coordinate 
35 is inserted Into the coordinate cache. 

void CheckCoordinate ( fixedpoint x, fixedpoint y, fixedpoint z) 
{ 

int i; 

40 

// If inflexion, where the slope of 
// X curve changes from positive to 
// negative . . . 
if ({x <= xOld) && (xOldOld <= xOld) ) 
45 { 

// Check all stored coordinates . . . 
for (i=0;i<CacheQepth;i-i-'t-) 
{ 

// If match is found . . . 
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if ((xCache[i] == x) && {yCache[i] == y) && {zCache[i] == ss) ) 
{ 

// Period is found! - Load spare key 
// and reinitialize 

5 Xnitl28(SpareSeed) ; 

break; 

} 

} 

// Insert the coordinate into the 
10 // coordinate cache 

InsertCoordinate (x, y, z, 0); 

} 

// Store the x value for future comparison 

15 xOldOld = xOld; 
xOld = x; 

} 



20 Pseudo-code for stream-cipher using the Lorenz system 

In this context, the modulus function, I^OD, which takes an argument, q, returns a positive 
values in the range [0;q[. 

25 The a-variable in the Lorenz equations has been renamed to "s". 

The format of the fixed-point variables are defined according to Table I. 

Table I: 



30 



Variable 


Fixed-point format 


r 


S(7.24) 


b 


S(7.24) 


s 


S(7.24) 


X 


S(7.24) 


y 


S(7.24) 


z 


S(7.24) 



The format of the temporary fixed-point variables used in the Crypt function are defined 
according to Table II. 



35 Table II: 



Variable 


Fixed-point format 


tx 


S(15,16) 


ty 


S(15.16) 
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tz 


5(15.16) 


dt 


5(12.19) 



Allowed values for parameters, r, b, and s, and allowed starting conditions for coordinates, 
X, y, and z are listed in Table III: 



5 Table III: 



Variable 


Allowed value 


r 


[i;5[ 


b 


[b+10;b+18[ 


s 


[4-b+0.5-s+12.5;4-b+0.5-s+20.5[ 


Xo 


[-32;32[ 


yo 


[-32;32[ 


Zo 


[-32;32[ 



Crypt: Encryption, decryption and PRNG function. Arguments are PData (pointer to the first 
byte to encrypt/decrypt) and PEnd (pointer to the last byte to encrypt/decrypt). If the 
10 function is intended to generate pseudo-random numbers, the function should be given an 
amount of data to encrypt (e.g. zeroes) of the same size as the requested pseudo-random 
data. 

void Crypt (char* PData, char* PEnd) 
15 { 

fixedpoint dt; 

while (PData <= PEnd) 
{ 

20 // Calculation of the time step 

dt = 10*2'" + X MOD 2'"; 

tx = s*(y-x); // Calculation of the next state 

ty = X* (r-z) -y; 
25 tz = x*y-b*z; 

X = X + tx*dt; 
y = y + ty*dt; 
z = z + tz*dt; 

30 // Check and insert the coordinate 

InsertCoordinate (x, y, z, 0); 

// Extract and encrypt 
*PData = *PData XOR ( (y*2" XOR y*2^') MOD 2*) ; 

35 

PData = PData + 1; // Increase the pointer to data to encrypt 

} 

} 



APPLICATION/25557US02/JPF/PNI/07-12-01 



48 



MaskParameters: To ensure that the initial state and the parameters are valid after loading 
an expanded key or a pseudo-random sequence, the state and parameters has to be 
modified using this function. The correction is performed according to the restrictions 
5 defined in table III. 

void MaskParameters 0 

{ 

X = x*0.25; 
10 y = y*0.25; 

z = z*0.25; 

b = (b MOD 4) + 1; 

S o (s MOD 8) + 10 + b; 

r = (r MOD 8) + 12.5 + 2*b + 0,5*s; 

15 } 

Initl92: Load a 192-bit seed (pointed to by the PSeed pointer) into the state of the 
system. 

20 void Initl92 (char* PSeed) 



X = *PSeed; 

y = * (PSeed+4) ; 

z = *(PSeed+8); 

r = *(PSeed+12) ; 

b = *(PSeed-fl6) ; 

s = *(PSeed-i-20) ; 



// Copy the seed into the state 



MaskParameters { ) ; 



30 } 



// Correct the state to make it valid 



Initl28: Load a 128-bit seed (or key) (pointed to by the PSeed pointer) Into the state of 
the system performing the key setup procedure. 



35 void Xiiitl28 (char* PSeed) 
{ 

char Seedl92 [24] s 
int i; 



// Allocate 24 bytes of memory 



40 



X = *PSeed; 

y = *(PSeed+3) ; 

z = * (PSeed+6) ; 

r = * (PSeed+8) ; 

b = * (PSeed+10) ; 

s = *(PSeed+12) ; 



// The seed is expanded into the state 



MaskParameters ( ) ; 



// Make state valid 

// Iterate 16 rounds before extraction 
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Crypt (Seedl92, Seedl92+15) ; 



for (i=0ji<24;i++) 
Seedl92[i] = 0; 



// Reset the data In Seed to zeroes 



5 



// Generate 24 bytes of pseudo-random data 



Crypt (Seedl92, Seedl92+23) ; 



10 



Inltl92(Seedl92} ; 



// Load the pseudo- random data into the state 



// Iterate 16 rounds before using the 
// algorithm 



15 



Crypt (Seedl92, Seedl92-i-15} ; 



// Initiate the coordinate check algorithm 



SetupCoordinateCheck 0 ; 



} 



20 



The statistical properties of the output of the system, i.e. the keystream, may be tested 
according to the NIST (IMational Institute of Standards and Technology) Test Suite, cf. 'A 
statistical test suite for random and pseudo-random number generators for cryptographic 
applications', NIST Special Publication 800-22. See also http://csrc.nist.gov/rng/rng2.html. 
25 The NIST Test Suite comprises sixteen different tests, which are briefly summarized beiow. 
The tests may for example be performed on a program similar to the above pseudo-code 
for a stream cipher using the Lorenz system. 

The tests deliver a number of almost non-overlapping definitions of randomness. The 
30 simpler definitions are included below, whereas those definitions which require more 
complicated concepts from the theory of probability are referred to by the phrase "what 
can be calculated/is expected for a truly random sequence". The above NIST publications 
contain the appropriate definitions and references to works on the theory of probability. 

35 Frequency monobit test: This test determines the proportion of zeroes and ones for the 
entire keystream sequence. For a truly random keystream sequence, the number of ones 
is expected to be about the same as the number of zeros. During the test, it is investigated 
whether this property holds for the keystream sequence in question. 

40 Frequency block test: In this test, the keystream sequence is divided into M-bit blocks. In 
a truly random keystream sequence, the number of ones in each block is approximately 
M/2. If this also characterizes the tested keystream sequence, the test is regarded as 
successful. 

45 Runs test: A run within the keystream sequence is defined as a sub-sequence of identical 
bits. The test checks for runs of different lengths, where a run of length k is constituted by 
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k identical bits bounded by bits of a value opposite to the bits in the run. The occurrence of 
runs of different lengths is compared to what is expected for a truly random sequence. 

Longest run of zeroes: In this test, the sequence is divided into blocks of M bits each, and 
5 the longest run of ones within each block is found. The distribution of the lengths of runs 
for the blocks is compared to the distribution for blocks in a random sequence. An 
irregularity in the expected length of the longest run of ones indicates that there is also an 
irregularity in the expected length of the longest run of zeroes. 

10 Binary matrix rank test: In this test, fixed length sub-sequences of the keystream 

sequence are used to form a number of matrices by colllecting M-Q bit seggments into M 
by Q matrices. By calculating the rank of these matrices, the test checks for linear 
dependence among the sub-sequences. 

15 Discrete Fourier transform test: By applying the discrete Fourier transform, this test 

checks for periodic characteristics of the keystream sequence. The height of the resulting 
frequency components are compared to a threshold defined from a truly random sequence. 

Non-overlapping template matching test: When performing this test, a number of non- 
20 periodic m-bit patterns are defined, and the occurrences of the particular patterns are 
counted. 

Overlapping template matching test: This test is very similar to the non-overlapping 
template matching test, the only differences being the structure of the pattern of m bits, 
25 and the way the search for the pattern is performed. The pattern of m bits is now a 
sequence of m ones. 

I^iaurer's universal statistical test: This test calculates the distance between matching 
patterns In the keystream sequence. By doing so, a measure of the compressibility of the 
30 keystream sequence is obtained. A significantly compressible keystream sequence is 
considered to be non-random. 

Lempel-Ziv compression test: In this test, the number of cumulatively distinct patterns is 
calculated, thus providing a measure of the compressibility of the keystream sequence. 
35 The result is compared to a random sequence, which has a characteristic number of 
distinct patterns. 

Linear complexity test: This test calculates the length of a linear feedback shift register in 
order to determine whether or not the sequence is complex enough to be considered 
40 random. 

Serial test: This test calculates the frequency of all possible overlapping m-bit patterns 
across the entire sequence. For a truly random keystream sequence, all of the 2"" possible 
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m-bit patterns occur with the same probability. The deviation from this probability is 
calculated for the keystream sequence in question. 

Approximate entropy test: This test has the same focus as the serial test, but with the 
5 added feature that the frequencies of m- and (m+l)-bit patterns are calculated. The 

results obtained for the patterns of different length are compared and used to characterize 
the sequence as either random or non-random. 

Cumulative sums test: In this test, the sequence is used to define a random wall< with 
10 ones and zeroes corresponding to +1 and -1, respectively. It is determined whether the 
amplitudes of the cumulative sums of the partial keystream sequences are too large or too 
small relative to what is expected for a truly random keystream sequence. 

Random excursions test: In this test, the sequence is similarly to the cumulative sums test 
15 transferred into a random walk. The number of visits to certain states (values the 

cumulative sum can hold), which the random walk potentially passes through, is used to 
characterize the sequence as either random or non-random. The considered states are -4, 
-3, -2, -1, 1, 2, 3, 4. 

20 Random excursions variant test: Almost identical to the random excursions test. Eighteen 
states are used in this test. 

For each test, a P-value, Pvai, is calculated, which provides a quantitative comparison of the 
actual sequence and an assumed truly random sequence. The definitions of the P-values 
25 depend on the actual test (see the NIST documentation). Values of Pvai > a indicate 

randomness, where a is a value in the interval 0.001 < a < 0.01, the exact value of a being 
defined for each test. Otherwise, non-randomness is declared. 

The NIST Test Suite defines, for each test, the proportion of samples, whose P-value 
30 should pass the criterion Pvai > a. In ail of the above tests, except the Random excursions 
test, the proportion of samples whose respective P-values, Pvai, pass the appropriate 
criteria should be at least 0.972766. For the Random excursions test, the proportion given 
by NIST is at least 0.967813. 

35 In preferred embodiments of the present invention, the following proportions are 

preferably achieved, as an average of at least lO'* samples obtained by use of randomly 
chosen keys: at least 0.975, such as at least 0.98, such as at least 0.985, such as at least 
0.99, such as at least 0.995, such as at least 0.998. 

40 Possible input parameters to the NIST Test Suite are given in Table IV below in the 
notation used in the documentation accompanying the NIST Test Suite. 

TABLE IV: 
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Name of test 


Input 


Frequency block test 


m = 100 


Longest run test 


M = 10000 


Non-overlapping templates matching test 


m = 9 


Overlapping templates matching test 


m = 9 


Maurer's universal test 


L = 7, Q = 1280 


Serial test 


m = 5 


Approximate entropy test 


m = 5 



EXAMPLE II 

5 Table V shows the speed of encryption of a method according to the present invention as 
well as speeds of encryption of various known encryption methods. The speed of the 
encryption method of the present invention was achieved In a prototype incorporating the 
features of the encryption/decryption program according to the invention. The key size 
was a 256 bit key, and the encryption/decryption speed was measured on a 400 MHz 

10 Pentium II processor by counting number of clock cycles spend on execution of the 
encryption/decryption algorithm. The prototype of the algorithm was implemented in 
assembly language using MMX^" Instructions on a system involving two instances, as 
exemplified in Fig. 7. The prototype solved two Lorenz systems exhibiting chaotic behavior 
and extracted a total of 64 bit in each integration step, i.e. in each combined integration 

15 step of the two instances. The prototype differed from the algorithm of the pseudo code 
program described in Example I with reference to Figs. 15-22 mainly in that: 

- The prototype utilized the MMX™ technology by solving two systems in parallel. 

- The prototype extracted a total of 64 bit in each integration step. 

- The prototype did not test for periodic solutions. 

20 

From the measurements, the speed was calculated to be equivalent to an 
encryption/decryption speed of 1010 Mbit/sec on a 450 MHz Pentium II processor. 



Table V: 



Name 


Year of 
intro- 
duction 


Type 


Key size 
[bit] 


Block 
size [bit] 


Speed 
[clocks/ 
byte] 


Speed 
[Mbit/s] 


Memory 
Requirements 
for tables etc. 

[bytes] 


AES/Rijndael 


1998 


block 


128-256 


128-256 


14.8^ 


232 


>256-4096 


Blowfish 


1994 


block 


32-448 


64 


18^ 


191 


<5K 


Present 
Invention 




stream 


128-256 




3.4 


1010 


40-72 


DES 


1975 


block 


56 


64 


45^ 


76 


>256 


IDEA 


1992 


block 


128 


64 


50^ 


69 


>12 


Panama 


1998 


stream 


256 




6.7^ 


512 


>1092 


RC4 


1987 


stream 


32-2048 




7^ 


490 


>256 
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SNOW 


2000 


stream 


128-256 




8.1^ 


424 


1024 


SOBER-t32 


2000 


stream 


128 




1.1" 


470 


? 



Speed is estimated from different sources. The superscripts in tlie "Speed [clocl<s/byte]" 
column of Table V refers to the below source references: 



5 1. Crypto++ 4.0 Benchmarks, www.eskimo.com/~weidai/benchmarks.htmi, 
i^S C++ (Intel Celeron BSOI^Hz), available on 7 December 2001. 

2. Bruce Schneier et al.: Fast Software Encryption: Designing Encryption Algorithms for 
Optimal Software Speed on the Intel Pentium Processor. 

10 

3. Kazumaro Aoki et al.: Fast Implementation of AES Candidates (128 bit keys, 128 bit 
blocks, Pentium II). 

4. Performance Evaluation of NESSIE First Phase (draft version 3.0), 

15 http://www.cosic.esat.kuleuven.ac.be/nessie/ available on 7 December 2001. 

In general, speed and memory can be traded for many of the implementations, e.g. by 
using lookup tables which require more memory but may save processing time. 

20 End of Example II 

When performing computations on numbers expressed as binary numbers, for example 
when adding or multiplying two numbers, it may be possible to omit parts of the 
computations involved in addition or multiplication, if bits of a number resulting from the 

25 addition or multiplication may be omitted or disregarded. Thus, if the least significant bits 
of the resulting number are not necessary or if the most significant bits of the resulting 
number may be disregarded (which may be the case in a pseudo-random number 
generator, where what is needed is not the true result of the computations but merely a 
pseudo-random number), the least and/or most significant bits of the resulting number 

30 need not be computed. 

Thus, in a further aspect, the present invention relates to a method for performing 
mathematical operations on integer numbers of a certain bit width which is larger than the 
register width of the processing unit on which the computations are performed. 

35 l^athematical operations or computations on fixed-point numbers are performed as integer 
operations, whereby the integer numbers are expressed as binary numbers. The binary 
representation of integer numbers requires a certain register width, e.g. 32 bit. When 
performing mathematical operations, such as addition or multiplication, by means of a 
processing unit having a register width which is smaller than the width required for 

40 representation of the binary numbers, e.g. 8 bit, the binary numbers may be split into a 
plurality of binary sub-numbers, each represented by a width equal to or smaller than the 
register width of the processing unit. Thus, two 32 bit numbers may be spilt into two sets 
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of four 8 bit sub-numbers, and multiplication or addition may be performed on the 8 bit 

sub-numbers by means of an 8 bit processing unit. For example, addition of a number 

A = 11011001101101010110101010110111 and a number 

B = 10000111011110111111010101001001 
5 to acfiieve a result R=A+B may be performed by performing the following steps: 

1. Each of the numbers A and B is split into four sub-numbers, Al, A2, A3, A4, and Bl, 
B2, B3, and B4. Al represents the 8 most significant bits of the number A, and A4 
represents the 8 least significant bits of the number A, etc. Thus, in the example 
shown above, the sub-numbers are: 



10 



15 



Al= 


11011001 


A2= 


10110101 


A3= 


01101010 


A4= 


10110111 


Bl= 


10000111 


B2= 


01111011 


B3= 


11110101 


B4= 


01001001 



2. The least significant sub-numbers, A4 and B4 are then added: R4=A4+B4. Any carry 
resulting from the addition of A4 and B4, C4, is stored. 
20 3. The second least significant sub-numbers, A3 and B3, and the carry from step 2 above, 
C4, are then added: R3=A3+B3+C4. Any carry resulting from this addition, C3, is 
stored. 

4. Addition of A2 and 82 in a way analogous to step 3, to achieve R2 and C2. 

5. Addition of Al and Bl in a way analogous to steps 3 and 4 to achieve Rl. Any carry 
25 resulting from this addition, CI, is regarded as overflow and is not taken into 

consideration. 

6. The number resulting from the addition of A and B is stored as four sub-numbers, Rl, 
R2, R3 and R4, and/or represented by a 32 bit wide string built from the sub-numbers 
Rl, R2, R3, and R4. 

30 

In case not all bits in a number resulting from a multiplication operation are to be used in 
further computations, and/or in case not all bits are significant for the further 
computations and may be disregarded, processing time in connection with multiplication 
operations on a processing unit having a register width smaller than the bit width of the 
35 numbers to be multiplied may be reduced by performing only partial multiplication as 
explained below. For example, multiplication of two 16 bit numbers, D and E, wherein 
D = 1101100110110101 and 
E = 0110101010110111 

on an 8 bit processing unit to achieve a 32 bit number, F, may be performed by the 
40 following steps: 

1. Each of the numbers D and E are split into two sub-numbers, Dl, D2, and El, E2. Dl 
represents the 8 most significant bits of D, D2 represents the 8 least significant bits of 
D, etc. Thus, in the example shown above, the sub-numbers are: 
01=11011001 
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02=10110101 
El=01101010 
E2=10110111 

2. Di is multiplied with El to achieve a 16 bit number expressed as two 8 bit numbers, 
5 Gl and G2. 

3. Dl is multiplied with E2 to achieve a 16 bit number expressed as two 8 bit numbers, 
HI and H2. 

4. D2 is multiplied with El to achieve a 16 bit number expressed as two 8 bit numbers, II 
and 12. 

10 5. D2 is multiplied with E2 to achieve a 16 bit number expressed as two 8 bit numbers, Jl 
and 32. 

6. The resulting 32 bit number F is expressed as four 8 bit numbers, Fl, F2, F3, and F4, 
wherein: 
F4=J2 
15 F3=H2+I2+J1 

F2=G2+Hl+Il+[any carry resulting from the calculation of F3] 
Fl=Gl+[any carry resulting from the calculation of F2], 

as illustrated In Fig. 14 wherein I^S denotes "most significant 8 bit" and LS denotes 
"least significant 8 bit". 

20 Processing time may be saved by disregarding F4, i.e. the ieast significant bits of the 
number resulting from the multiplication, and by disregarding Jl in the addition which 
leads to F3. Thus, the multiplication of D2 with E2 at step 5 may be omitted, whereby less 
mathematical operations are performed, which leads to saving of processing time. This 
omission has an impact on the computational result which, however, may be acceptable If 

25 the omission is performed consistently throughout the computations in, e.g. a pseudo- 
random number generator, e.g. in an encryption/decryption algorithm, and if it is 
performed both in decryption and encryption. It should usually be ensured that properties 
of the mathematical system, e.g. chaotic behavior, which are of importance in the context 
in question, e.g. encryption/decryption, are maintained in spite of the impact which the 

30 omission of one or more computational steps has on the computations. 

In a further aspect, the invention relates to a method of performing multiplication 
operations on a first binary number and a second binary number. The method comprises 
summing a number of intermediate results, whereby the sum of the intermediate results is 
35 equal to the product of the two numbers. Each intermediate result is achieved as the 
product of one single bit (1 or 0) of the first number and the entire second number, a, 
whereby the product and thus the intermediate number may be determined by a simple 
"if.. .then" algorithm and/or a logical AND operation, as the product of 1 ■ a = a, and as the 
product of 0 • a = 0. 

40 

Subsequent to computing the intermediate number, the intermediate number is shifted a 
number of positions to the left, the number of positions corresponding to the position of 
the bit of the first number from which that particular intermediate number is calculated. 
Alternatively, either the second number or the particular bit of the first number is switched 



APPLICATION/25557US02/JPF/PNI/07-12-01 



56 



to the left. Accordingly, the step of multiplying one bit of a first one of the two numbers is 
repeated for each bit of the first number. For example the product of a first number, 0110, 
and a second number 1010 is computed as follows: the least significant bit of the first 
number, 0, is multiplied with the second number 1010 to obtain a first intermediate 
number, 0000. Then, the second least significant bit of the first number, 1, is multiplied 
with the second number and shifted one position to the left to obtain a second 
intermediate number, 10100. Then, the third least significant bit of the first number, 1, is 
multiplied with the second number and shifted two positions to the left to obtain a third 
intermediate number, 101000. Finally, the most significant bit of the first number, 0, is 
multiplied with the second number and shifted three positions to the left to obtain a fourth 
intermediate number, 0000000. The resulting number is obtained as a sum of the four 
intermediate numbers, as illustrated below, the underlinings indicating which bits are being 
multiplied in the individual steps: 

0110 • 1010 0000 (first intermediate number) 

0110 ■ 1010 10100 (second intermediate number) 
0110 ■ 1010 101000 (third intermediate number) 
0110 • 1010 0000000 (fourth intermediate number) 

Result: 0111100 (sum of intermediate numbers) 
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